6. Use of Virsa 2318

Use of Virsa 2318

  • S

    Is anyone familiar with a product called Virsa, which is used with SAP to identify Segregation of Duties issues. My company is looking at using this and was hoping for some input.

    0
  • D

    Virsa is owned by SAP - they bought them are year or two ago. But even before they were acquired by SAP they were one the market leading tools for SOD in SAP

    0
  • R

    I have worked with VIRSA (also called Compliance Calibrator). Better than SUIM and AIS, because of its cover of all objects and values needed.
    You will need to create rules using standard and customized transactions, witch involve lots of consulting time.
    Be aware to customized transaction. In order to analyze only transactions code, you will need all customized transaction documentation to create reports with the correct object and values.

    0
  • S

    Thanks for the input. We are being given rules from our Corporate office next week and will run our first reports to see what remediation is necessary. I have been told initial remediation efforts can be quite large. We shall see.

    0
  • N

    Thanks for the input. We are being given rules from our Corporate office next week and will run our first reports to see what remediation is necessary. I have been told initial remediation efforts can be quite large. We shall see.
    Would be intersting to know if your organization is geographically diverse and you follow different rule sets based on each country or each organization. One size fits all principle may not apply to the SOD rules, as it would require recruitment of additional resources, just for the sake of complying with Virsa rules.
    It would be great if you can update us on this :lol:

    0
  • S

    My company is quite large (USD4 billion USD annual sales) and globally diverse (60 worldwide locations across US, Europe and Asia). I too am interested to see how this will work.
    My understanding is one rule set will be used by all locations (only SAP locations - maybe 30). It is not the full Virsa rule-set, but the rules agreed with the external auditors as ‘key’.
    For SOD conflicts identified that we can not correct, we must document what mitigating controls are in place to reduce the risk.
    We will see. I have already found we will not get the rule set until week of March 17. I should know more once I actually get into using it. Since you are interested, I’ll keep you posted.

    0
  • C

    Actually, there are two components to Virsa. One is compliance callibrator which allows you to define your SOD roles and issues. The other is Access Enforcer which actually enforces these rules. If you only have CC in place then you have to run reporting to look for roles with inappropriate access and monitor them on a continuous basis. Virsa will also allow overrides to SOD issues with a valid reason and acceptance of risk by the business owner.

    0
Log in to reply