Why your IT audit plan should include a specialist CRM system review
May 30, 2019
Cloud platforms have revolutionised CRM (customer relationship management) for businesses across the world. But with benefits comes risk. An increasing array of business risks are being inexorably tied to corporate CRM, for a variety of reasons – and that’s created a strong argument that IT audits of CRM should be carried out by a specialist team.
The EU General Data Protection Regulation (GDPR) creates an immediate security challenge for any CRM software. GDPR compliance is a huge deal for companies – with GDPR fines putting a maximum 4% of global revenues at risk – and it’s impossible to find any company that hasn’t taken some form of action to manage this risk. As a result, audit committees are questioning closely whether IT system controls will remain fit for purpose over the longer term, not just for initial GDPR compliance. Or at least, they should.
And it’s not just a degradation in your current security that needs to be the concern. The expectations of regulators tend to increase in parallel with the development of audit and security technology. It’s like an arms race – if something goes wrong and there was technology available to prevent it, regulators will want to know why you weren’t using it. That’s the issue around top tier CRM products like Salesforce– the security and technology for protecting and reviewing the platform is becoming relatively well-developed, so any company that suffers a GDPR breach should expect some pointed questions from regulators.
So, outside of GDPR, where do the other risks lie? There are three further areas that need careful examination:
Data quality has long been a challenge for all CRMs. CRM companies provide the security and controls capability to run a tightly controlled application that addresses many of the main issues, such as record duplication, but the onus remains on the user to tailor these to their needs. Too often, the balance between operational openness and secure control isn’t right, with the result that the potential of these huge CRM investments isn’t fully realised. IT auditors should be flagging these risks, ideally before implementation, to help companies maximise their investment.
Some providers have developed offerings that sit outside traditional CRM. Some of these, like services dealing with shipping records or revenue recognition, bring the software into other regulated sectors, perhaps even into the scope for the external audit and potentially Sarbanes-Oxley too. This needs a specialised response. At PwC we already have tools to perform detailed security and controls analysis on Salesforce, and internal audit functions should be examining their own specialised response to these risks.
Commercially sensitive data
CRM systems typically include a large amount of commercially sensitive data, which has increased with their functional expansion. Companies have traditionally downplayed the risks of read-only access and pay less attention than they should to restricting it. Any audit review should validate all types of access on a needs-only basis.
If you take all of these risks into account, along with the fact that some of the top-tier CRM products have high levels of configurability and a complex security model it really does build a strong case for the need for a specialist team to perform any IT audit review. This is too important, and too risky, to be delegated to part of a general IT audit.