Managing risks in a
Managing risks in a
Salesforce
®
environment
In today’s rapidly changing world of business, only companies that understand and anticipate customer needs and consistently deliver unique, tailored
experiences will be able to attract and retain loyal customers. Across industries, many companies are turning to the cloud by implementing Salesforce sales, marketing and service solutions to enable them to be more agile and more customer-responsive in order to create unique value for customers. These changes may come with challenges to internal controls as well as governance, risk and compliance (GRC) processes. Companies are rethinking and redesigning the way they identify new customers and opportunities. They are doing so by updating and modernizing sales and after-sales processes, and increasing their reliance on technology to drive customer interactions, behaviors, relationships and sales. As a result, companies should also consider reassessing their risk profile.
Through proper attention to internal controls, companies can effectively utilize the features and functionality within Salesforce, such as Salesforce Shield, to implement customer-centric processes that are well controlled and governed.
The need to reexamine controls
The implementation of new Salesforce solutions can involve significant business transformation as companies redefine processes to take advantage of the technology’s benefits, as well as integrate Salesforce with other enterprise systems to create efficient end-to-end processes.
As companies reexamine their marketing, sales and service processes—including such areas as the definition of prices, discounts, customer claims and return of faulty goods—previously defined internal controls and GRC processes also require reexamination to help establish an effective, efficient and controlled execution of business processes (Figure 1). Companies should consider questions in the following areas:
Privacy. Are we collecting personal data that subjects us to regulatory requirements or contractual commitments?
Health Insurance Portability and Accountability Act (HIPAA). Are we a covered entity or are our business associates processing protected health information (ePHI)?
Sarbanes–Oxley (SOX). How do we help establish that the prices and discounts sales agents use are properly authorized? Can the sales agents sign sales orders with any account?
Figure 1:
• Customer is not authorized • Sales order prices are
inaccurate and not authorized • Sales order price overrides
and price master file changes are not accurately recorded • Sales orders are not valid • Sales order discounts are
not authorized
• Inappropriate information is collected
• Periodic review of accounts and contacts
• Claims are not authorized • Good returns are inaccurate
or not authorized • Communications with
customers are inaccurate or not authorized
• Case responses do not respect Service Level Agreements with customers
• Review and approval of claims
• Communications with customers are inaccurate or not authorized • Documents shared with
customers/partners are not authorized
• Inappropriate employee use • Collision with other internal
communication and collaboration tools
• Document file limits are configured to reduce the
Potential risks
To adopt an agile and responsive customer-centric model, companies are investing in tools and processes to address a variety of compliance requirements in a more efficient manner. These requirements come from regulatory entities, auditors, and other stakeholders, and are key for managing internal risks. No matter what stage of the Salesforce implementation journey a company is in, a reevaluation of internal controls will help confirm that GRC processes and controls are designed and implemented to properly address requirements and other potential risks (Figure 2).
Figure 2:
02
How are you …?
• Controlling the execution of your processes
• Managing compliance • Managing the access
to client’s data • Creating efficiencies • Integrating Salesforce with
other enterprise systems
03
What are you doing to …?
• Meet increasing regulatory requirements
• Manage internal control systems
• Maintain Salesforce apps in a controlled way • Achieve the right level of
governance over SFDC
Will this change …? • Impact compliance to external/
internal requirements • Impact the way you manage
your financial data • Impact your controls • Impact the way users
access to your data
04
Can you do it better …?• Governance
• Process improvement leveraging Salesforce functionalities
• Integration with other systems • Control optimization
• Security design
Salesforce functionality to
help manage internal controls
In conjunction with the implementation of internal controls, companies can effectively utilize Salesforce Shield and other built-in Salesforce functionalities to implement customer-centric processes that accomplish business objectives. These tools can help companies develop innovative ways to manage user access, compliance, and operational risks while improving the overall customer experience. Three such functionalities are Salesforce Event Monitoring, Field Audit Trail and Encryption.
Event Monitoring. For companies that need to know who is accessing which systems and which data, and what they are doing with them, Salesforce Event Monitoring delivers event log files that can be imported into a visualization application, allowing management to monitor the correct execution of their CRM processes and related controls.
Field Audit Trail. Field Audit Trail allows companies to confirm that data is accurate and complete, and that business processes have been followed correctly. Within Salesforce, Field Audit Trail tracks field history of up to 60 fields per object and retains it for up to 10 years.
Encryption. Encryption of data at rest can be a useful tool that adds an additional layer of protection to help mitigate risks of sensitive data. Salesforce Encryption helps protect an organization’s data by offering native platform encryption and key management features. Salesforce Encryption allows companies to protect data at a more granular level while still preserving business functionality and permitting users to perform necessary tasks. Organizations can encrypt files, attachments and certain standard and custom fields through the use of an advanced security key management system.
Leveraging the available tools
Companies are responsible for the definition and implementation of controls, and areas that often require specific attention include control integration, security design, data privacy and overall control governance.
Control integration. Companies may develop process inefficiencies if they don’t adequately reexamine their internal control systems during a Salesforce implementation. As organizations move to an agile, customer-centric business model, they will want to anticipate these controls so that once a customer interaction is complete, any issues get identified and addressed. This helps to support customers and creates the efficiencies desired from a control standpoint.
When marketing or sales agents enter data gathered from customers into the relevant enterprise systems, numerous verifications take place, such as whether business interactions with a customer are allowed, what key information is required, and what level of authorization the agent has for determining pricing or discounts. These areas require a transfer of controls from back-end systems to Salesforce in order to efficiently execute business processes. If controls are not implemented during the customer-facing phase of the process, the company sets a customer expectation by introducing an agile process but fails to deliver because of necessary rework and process inefficiency. For example, consider a situation wherein a sales agent gathers data from a customer, and subsequently, controls within the company’s ERP system determine that the business interactions with the customer were not allowed. The sales agent has lost valuable time by discovering too late that the time spent interacting with the customer will not bring business to the company. Further, consider a scenario where a sales agent uses mobile technology to acquire a customer’s signature for a contract. Once this data is interfaced to the company’s enterprise system, the system may indicate that the sales agent perhaps used non-authorized pricing, applied non-authorized discounts, or even omitted required information. The sales agent must initiate further customer interaction to correct these issues. A thorough analysis of the way internal controls should be integrated with new customer-facing business processes helps to facilitate the desired efficiencies and business outcomes.
Case study: Establishing efficient controls over financial reporting
Issue: A large public company implemented
Sales Cloud and created an interface between Salesforce and its ERP system. New customers and new sales orders were created directly in Salesforce and uploaded to the ERP system. Prices were entered into the ERP system and were uploaded to Salesforce. As part of financial reporting controls, the company had to make sure that customers were valid and approved by an adequate level of management prior to conducting business with them.
Solution: PwC helped the company design and
implement approval workflows within Salesforce and helped confirm that prices updated within the ERP system were accurately transmitted to Salesforce. This helped confirm that no user was able to modify prices in Salesforce to bypass controls present within the ERP system. Finally, PwC assessed user security in order to identify segregation of duty issues. As a result of these actions, the organization can be more confident that it has appropriate controls over these areas for financial reporting, as well as benefit from more efficient execution of business processes.
Security design. Secure applications can be built using standard Salesforce capabilities, but in many organizations security design may be complex. Companies may not have the proper segregation of duties in place and therefore need to rethink the design of the processes that enforce security, and leverage Salesforce access controls.
Access to data within Salesforce is granted by a combination of multiple elements that define which kinds of information users can access, as well as which records users can share between themselves. Profiles and Organization Wide Defaults (OWD) constitute the basic security. Other elements such as Role Hierarchy and Sharing Rules are used to manage access at the record level. When determining the level of user access, it is not sufficient to assess profiles, OWD, and roles assigned to users. For example, it is important to recognize that a level of security gets transmitted to higher levels of the hierarchy. This allows a user to access records with the same level of access rights as other users who report to him or her. Attention to security design in the context of process and organization is paramount to establishing effective internal controls.
Data privacy. Based on the industry and
jurisdictions in which they operate, companies may have to meet stringent requirements regarding the processing of sensitive information. Even though there is generally no regulatory requirement to encrypt data, a company may decide to pursue such an additional level of protection as a way to further secure their data and manage risk. An organization should perform a risk assessment to determine the criticality and sensitivity of the information being processed, stored, and transmitted by Salesforce in order to effectively use Salesforce data protection functionalities.
Case study: Establishing confidence in data privacy
Issue: A healthcare company implemented
Salesforce Sales Cloud and Service Cloud. Based on the design, the company stored some
electronic protected health information (ePHI) in Salesforce.
Solution: PwC helped the company perform a
risk assessment to classify protected data and select the proper countermeasures. PwC then helped to protect the confidentiality of ePHI via encryption, and set relevant audit trails to track changes to data. Because of these efforts, the company is able to better leverage advanced functionality in new customer-facing processes, as well as have more confidence that they are remaining HIPAA compliant and appropriately protecting the privacy of patients.
Control governance. Salesforce recognizes that many companies are subject to multiple regulations that govern the handling of information, and
therefore provides a security program that addresses certifications, policies, practices, people, and
technology. However, there is a significant part of the internal control systems that still needs to be addressed by companies, such as the way companies design and implement their business processes. For example, Salesforce is certified ISO 27001 for information security, but companies are responsible for the security profiles they define for their own purposes and the related assignment to users (Figure 3).
Figure 3:
Salesforce Trust Services Company’s Responsibility
ISO 27001
Information security
Information security of companies’ data managed outside SFDC cloud
SSAE 16/ISAE 3402 soc-1
Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
Financial controls over custom development apps and interactions with other enterprise systems
SOC 2
Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity,
Confidentiality and Privacy
End user control considerations. End user considerations together with the control activities at the service
organization work in conjunction to achieve the related control objective
SOC 3 (SysTrust)
Trust Services Report for Service Organization
FISMA
Federal Information Security Management Act
Access by unauthorized individuals given by SFDC administrators
PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)
Companies need to specify which fields need to be encrypted; SFDC does not encrypt data by default
The encryption of data and the management of logs are other areas that carry significant responsibility for companies. Based on specific regulations (e.g. HIPAA/HITECH, FISMA, etc.), organizations must build infrastructure and create strategies to protect against threats to the security of their information, including strategies that investigate potential security breaches. While Salesforce allows organizations to encrypt data and manage logs, it is the responsibility of the company to determine which data needs to be encrypted and/or logged.
Ultimately, end user considerations together with the control activities at the service organization have to work in conjunction to achieve control objectives and GRC management.
The end result
Salesforce cloud-based solutions enable companies to operate with the flexibility and speed they need to create unique customer value. However, as with any transformational change, implementation can introduce new risks. Salesforce offers both core and advanced features that can be very effective at ensuring controls are in place, but these features don’t stand on their own. They must be aligned and tailored to the individual organization’s specific needs. Whether a company is just considering a Salesforce implementation or is already operational and striving for continuous improvement, an evaluation of internal controls will help company management enable an effective, efficient and controlled execution of business processes.
The information provided in this white paper is strictly for the convenience of our customers and is for general informational purposes only. Publication bysalesforce.com, inc. does not constitute an endorsement. Salesforce.com, inc. does not warrant the accuracy or completeness of any information, text, graphics, links or other items contained within this white paper. Salesforce.com, inc. does not guarantee you will achieve any specific results if you follow any advice in the white paper. It may be advisable for you to consult with a professional such as a lawyer, accountant, architect, business advisor or professional engineer to get specific advice that applies to your specific situation. © 2015 salesforce.com, inc. All rights reserved.
Contact us:
Bob Clark
Principal at PwC
Enterprise Systems Solutions U.S. Leader
Andrea Acciarri
Director at PwC
Enterprise Systems Solutions Salesforce Leader [email protected] Jim Rivera VP, Product Manager, Salesforce Shield [email protected]