Managing risks in a Salesforce environment

Transcription

1 Managing risks in a Salesforce environment

2 Managing risks in a Salesforce environment In today s rapidly changing world of business, only companies that understand and anticipate customer needs and consistently deliver unique, tailored experiences will be able to attract and retain loyal customers. Across industries, many companies are turning to the cloud by implementing Salesforce sales, marketing and service solutions to enable them to be more agile and more customer-responsive in order to create unique value for customers. These changes may come with challenges to internal controls as well as governance, risk and compliance (GRC) processes. Companies are rethinking and redesigning the way they identify new customers and opportunities. They are doing so by updating and modernizing sales and after-sales processes, and increasing their reliance on technology to drive customer interactions, behaviors, relationships and sales. As a result, companies should also consider reassessing their risk profile. Through proper attention to internal controls, companies can effectively utilize the features and functionality within Salesforce, such as Salesforce Shield, to implement customer-centric processes that are well controlled and governed. Managing risks in a Salesforce environment 1

3 The need to reexamine controls The implementation of new Salesforce solutions can involve significant business transformation as companies redefine processes to take advantage of the technology s benefits, as well as integrate Salesforce with other enterprise systems to create efficient end-to-end processes. As companies reexamine their marketing, sales and service processes including such areas as the definition of prices, discounts, customer claims and return of faulty goods previously defined internal controls and GRC processes also require reexamination to help establish an effective, efficient and controlled execution of business processes (Figure 1). Companies should consider questions in the following areas: Privacy. Are we collecting personal data that subjects us to regulatory requirements or contractual commitments? Health Insurance Portability and Accountability Act (HIPAA). Are we a covered entity or are our business associates processing protected health information (ephi)? Sarbanes Oxley (SOX). How do we help establish that the prices and discounts sales agents use are properly authorized? Can the sales agents sign sales orders with any account? Figure 1: Potential risks Customer is not authorized Sales order prices are inaccurate and not authorized Sales order price overrides and price master file changes are not accurately recorded Sales orders are not valid Sales order discounts are not authorized Inappropriate information is collected Claims are not authorized Good returns are inaccurate or not authorized Communications with customers are inaccurate or not authorized Case responses do not respect Service Level Agreements with customers Communications with customers are inaccurate or not authorized Documents shared with customers/partners are not authorized Inappropriate employee use Collision with other internal communication and collaboration tools Periodic review of accounts and contacts Approval of pricing Approval of discounts by account Automatic block of sales price overrides Increased governance over the design of the system Review and approval of claims Review of cases and approval of good returns Automatic escalation of cases inside specific times within Service Level Agreements Document file limits are configured to reduce the risk that unauthorized documents are shared Chatter is configured to limit the types of documents that users can share User Policies Increased governance over chatter communications Controls Managing risks in a Salesforce environment 2

4 To adopt an agile and responsive customer-centric model, companies are investing in tools and processes to address a variety of compliance requirements in a more efficient manner. These requirements come from regulatory entities, auditors, and other stakeholders, and are key for managing internal risks. No matter what stage of the Salesforce implementation journey a company is in, a reevaluation of internal controls will help confirm that GRC processes and controls are designed and implemented to properly address requirements and other potential risks (Figure 2). Figure 2: 01 Will this change? Impact compliance to external/ internal requirements Impact the way you manage your financial data Impact your controls Impact the way users access to your data 04 Can you do it better? Governance Process improvement leveraging Salesforce functionalities Integration with other systems Control optimization Security design 02 How are you? Controlling the execution of your processes Managing compliance Managing the access to client s data Creating efficiencies Integrating Salesforce with other enterprise systems 03 What are you doing to? Meet increasing regulatory requirements Manage internal control systems Maintain Salesforce apps in a controlled way Achieve the right level of governance over SFDC Managing risks in a Salesforce environment 3

5 Salesforce functionality to help manage internal controls In conjunction with the implementation of internal controls, companies can effectively utilize Salesforce Shield and other built-in Salesforce functionalities to implement customer-centric processes that accomplish business objectives. These tools can help companies develop innovative ways to manage user access, compliance, and operational risks while improving the overall customer experience. Three such functionalities are Salesforce Event Monitoring, Field Audit Trail and Encryption. Event Monitoring. For companies that need to know who is accessing which systems and which data, and what they are doing with them, Salesforce Event Monitoring delivers event log files that can be imported into a visualization application, allowing management to monitor the correct execution of their CRM processes and related controls. Field Audit Trail. Field Audit Trail allows companies to confirm that data is accurate and complete, and that business processes have been followed correctly. Within Salesforce, Field Audit Trail tracks field history of up to 60 fields per object and retains it for up to 10 years. Encryption. Encryption of data at rest can be a useful tool that adds an additional layer of protection to help mitigate risks of sensitive data. Salesforce Encryption helps protect an organization s data by offering native platform encryption and key management features. Salesforce Encryption allows companies to protect data at a more granular level while still preserving business functionality and permitting users to perform necessary tasks. Organizations can encrypt files, attachments and certain standard and custom fields through the use of an advanced security key management system. Other functionalities include user authentication (single-factor or two-factor authentication), customization of the level of access to objects and records based on a company needs, and the ability to define approval workflows. Managing risks in a Salesforce environment 4

6 Leveraging the available tools Companies are responsible for the definition and implementation of controls, and areas that often require specific attention include control integration, security design, data privacy and overall control governance. Control integration. Companies may develop process inefficiencies if they don t adequately reexamine their internal control systems during a Salesforce implementation. As organizations move to an agile, customer-centric business model, they will want to anticipate these controls so that once a customer interaction is complete, any issues get identified and addressed. This helps to support customers and creates the efficiencies desired from a control standpoint. When marketing or sales agents enter data gathered from customers into the relevant enterprise systems, numerous verifications take place, such as whether business interactions with a customer are allowed, what key information is required, and what level of authorization the agent has for determining pricing or discounts. These areas require a transfer of controls from back-end systems to Salesforce in order to efficiently execute business processes. If controls are not implemented during the customer-facing phase of the process, the company sets a customer expectation by introducing an agile process but fails to deliver because of necessary rework and process inefficiency. For example, consider a situation wherein a sales agent gathers data from a customer, and subsequently, controls within the company s ERP system determine that the business interactions with the customer were not allowed. The sales agent has lost valuable time by discovering too late that the time spent interacting with the customer will not bring business to the company. Further, consider a scenario where a sales agent uses mobile technology to acquire a customer s signature for a contract. Once this data is interfaced to the company s enterprise system, the system may indicate that the sales agent perhaps used non-authorized pricing, applied non-authorized discounts, or even omitted required information. The sales agent must initiate further customer interaction to correct these issues. A thorough analysis of the way internal controls should be integrated with new customer-facing business processes helps to facilitate the desired efficiencies and business outcomes. Case study: Establishing efficient controls over financial reporting Issue: A large public company implemented Sales Cloud and created an interface between Salesforce and its ERP system. New customers and new sales orders were created directly in Salesforce and uploaded to the ERP system. Prices were entered into the ERP system and were uploaded to Salesforce. As part of financial reporting controls, the company had to make sure that customers were valid and approved by an adequate level of management prior to conducting business with them. Solution: PwC helped the company design and implement approval workflows within Salesforce and helped confirm that prices updated within the ERP system were accurately transmitted to Salesforce. This helped confirm that no user was able to modify prices in Salesforce to bypass controls present within the ERP system. Finally, PwC assessed user security in order to identify segregation of duty issues. As a result of these actions, the organization can be more confident that it has appropriate controls over these areas for financial reporting, as well as benefit from more efficient execution of business processes. Managing risks in a Salesforce environment 5

7 Security design. Secure applications can be built using standard Salesforce capabilities, but in many organizations security design may be complex. Companies may not have the proper segregation of duties in place and therefore need to rethink the design of the processes that enforce security, and leverage Salesforce access controls. Access to data within Salesforce is granted by a combination of multiple elements that define which kinds of information users can access, as well as which records users can share between themselves. Profiles and Organization Wide Defaults (OWD) constitute the basic security. Other elements such as Role Hierarchy and Sharing Rules are used to manage access at the record level. When determining the level of user access, it is not sufficient to assess profiles, OWD, and roles assigned to users. For example, it is important to recognize that a level of security gets transmitted to higher levels of the hierarchy. This allows a user to access records with the same level of access rights as other users who report to him or her. Attention to security design in the context of process and organization is paramount to establishing effective internal controls. Data privacy. Based on the industry and jurisdictions in which they operate, companies may have to meet stringent requirements regarding the processing of sensitive information. Even though there is generally no regulatory requirement to encrypt data, a company may decide to pursue such an additional level of protection as a way to further secure their data and manage risk. An organization should perform a risk assessment to determine the criticality and sensitivity of the information being processed, stored, and transmitted by Salesforce in order to effectively use Salesforce data protection functionalities. Case study: Establishing confidence in data privacy Issue: A healthcare company implemented Salesforce Sales Cloud and Service Cloud. Based on the design, the company stored some electronic protected health information (ephi) in Salesforce. Solution: PwC helped the company perform a risk assessment to classify protected data and select the proper countermeasures. PwC then helped to protect the confidentiality of ephi via encryption, and set relevant audit trails to track changes to data. Because of these efforts, the company is able to better leverage advanced functionality in new customer-facing processes, as well as have more confidence that they are remaining HIPAA compliant and appropriately protecting the privacy of patients. Control governance. Salesforce recognizes that many companies are subject to multiple regulations that govern the handling of information, and therefore provides a security program that addresses certifications, policies, practices, people, and technology. However, there is a significant part of the internal control systems that still needs to be addressed by companies, such as the way companies design and implement their business processes. For example, Salesforce is certified ISO for information security, but companies are responsible for the security profiles they define for their own purposes and the related assignment to users (Figure 3). Managing risks in a Salesforce environment 6

8 Figure 3: Salesforce Trust Services ISO Information security SSAE 16/ISAE 3402 soc-1 Reports on Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting SOC 2 Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy SOC 3 (SysTrust) Trust Services Report for Service Organization FISMA Federal Information Security Management Act PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) Company s Responsibility Information security of companies data managed outside SFDC cloud Financial controls over custom development apps and interactions with other enterprise systems End user control considerations. End user considerations together with the control activities at the service organization work in conjunction to achieve the related control objective Access by unauthorized individuals given by SFDC administrators Companies need to specify which fields need to be encrypted; SFDC does not encrypt data by default The encryption of data and the management of logs are other areas that carry significant responsibility for companies. Based on specific regulations (e.g. HIPAA/HITECH, FISMA, etc.), organizations must build infrastructure and create strategies to protect against threats to the security of their information, including strategies that investigate potential security breaches. While Salesforce allows organizations to encrypt data and manage logs, it is the responsibility of the company to determine which data needs to be encrypted and/or logged. Ultimately, end user considerations together with the control activities at the service organization have to work in conjunction to achieve control objectives and GRC management. Managing risks in a Salesforce environment 7

9 The end result Salesforce cloud-based solutions enable companies to operate with the flexibility and speed they need to create unique customer value. However, as with any transformational change, implementation can introduce new risks. Salesforce offers both core and advanced features that can be very effective at ensuring controls are in place, but these features don t stand on their own. They must be aligned and tailored to the individual organization s specific needs. Whether a company is just considering a Salesforce implementation or is already operational and striving for continuous improvement, an evaluation of internal controls will help company management enable an effective, efficient and controlled execution of business processes. Managing risks in a Salesforce environment 8

10 pwc.com/us/riskassurance salesforce.com Contact us: Bob Clark Principal at PwC Enterprise Systems Solutions U.S. Leader Andrea Acciarri Director at PwC Enterprise Systems Solutions Salesforce Leader Jim Rivera VP, Product Manager, Salesforce Shield The information provided in this white paper is strictly for the convenience of our customers and is for general informational purposes only. Publication bysalesforce.com, inc. does not constitute an endorsement. Salesforce.com, inc. does not warrant the accuracy or completeness of any information, text, graphics, links or other items contained within this white paper. Salesforce.com, inc. does not guarantee you will achieve any specific results if you follow any advice in the white paper. It may be advisable for you to consult with a professional such as a lawyer, accountant, architect, business advisor or professional engineer to get specific advice that applies to your specific situation salesforce.com, inc. All rights reserved PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see