Customer relationship management: risks and controls; Built to better serve customers and increase sales, CRM database systems need specific controls to mitigate the associated risks

Internal Auditor, Dec, 2004 by George R. Aldhizer, III, James D. Cashell

CUSTOMER RELATIONSHIP MANAGEMENT (CRM) IS RAPIDLY becoming an integral part of many organizations. Used to better serve customers and increase sales, CRM integrates company business processes that have direct interaction with customers, such as customer support (e.g., call centers), field support (e.g., sales reps), marketing, sales (e.g., pending customer sales orders), and purchasing (e.g., inventory levels of requested products, including any products on back order).

[ILLUSTRATION OMITTED]

CRM systems were all but nonexistent a few years ago, but the relatively modest cost to install an on-site CRM system or establish a hosted or outsourced relationship with a CRM provider is one reason that global sales have skyrocketed during the past 12 months. A 2004 International Data Corp. (www.idc.com) study of more than 30 large U.S. and European organizations found that 57 percent of respondents achieved a positive return on investment (ROI) from CRM systems within one year, and 93 percent achieved a positive ROI within three years. In 2003, an article on InformationWeek.com estimated that the worldwide market for CRM software could reach $20 billion within the next few years.

Although there are many aspects involved in a successful CRM implementation, two key factors are providing an integrated, real-time CRM-data management system (CRM-DMS) and establishing an effective and efficient call center.

CRM-DMS

With a CRM-DMS, organizations can better understand and anticipate the needs of existing customers, thus increasing their satisfaction and loyalty. This is critical because it costs substantially more to acquire a new customer than to keep an existing one. Additionally, the CRM-DMS facilitates the analysis of past customer buying habits and preferences and helps create cross-selling and up-selling opportunities. For example, the data management system may include sophisticated data mining and analysis techniques to help organizations analyze written notes taken by call center workers and to analyze responses to consumer surveys. These analyses can be used to identify customers who are more likely to accept new services or purchase a particular product. A CRM-DMS also can be used effectively to identify legitimate potential customers, such as those who initiated an online sales order or who were quoted a sales price by a call center but did not purchase the good or service.

Without an effective CRM-DMS, customer information is often scattered across many databases, servers, and desktop/laptop hard drives in different divisions such as sales, marketing, customer service, and accounting. This problem becomes especially difficult for organizations with multiple sales channels such as companies that not only have actual sales outlets, but also support mail-order catalog and Internet sales. When customer information is fragmented, those who need it cannot access it easily. Atlanta-based Sun Trust Banks Inc., for example, justified its recent investment in a CRM-DMS because its sales representatives were making numerous duplicate sales calls to some prospects, while forgetting to contact others.

The CRM-DMS requires special consideration by internal auditing. First, because the DMS supports all direct contacts with customers, it is important to ensure that communication links, such as call centers, are getting accurate and consistent data so they can operate effectively. Second, because the DMS directly impacts the revenue stream, it is important to ensure that the data is accurate to assure proper revenue recognition for financial reporting purposes. Because of the system's significance to the organization, it is important for internal auditors to ensure that CRM-DMS risks are adequately identified, that effective controls are in place, and that management is providing adequate, periodic monitoring and testing of these controls.

For those companies implementing a new CRM-DMS, using the skills of an internal auditor who understands the organization's processes and procedures can help guide the customization of the system. The internal auditor's role is to help ensure that adequate internal controls are in place before the "go live" date. Although this part of the process is time-consuming and intense, it should not be skipped or rushed.

After the new system is rolled out, it should be reviewed based on feedback from end-users. Two key issues to address are: Is it as functional as desired, and what changes would improve the system? For example, are there excessive internal controls that may cause the system to be less straight-forward or harder to learn?

RISKS AND CONTROLS

A CRM-DMS usually is associated with significant revenue cycle or application and architectural security risks. This is especially an issue for organizations subject to the documentation and testing provisions of the U.S. Sarbanes-Oxley Act of 2002, because CRM can be a source of material internal control weaknesses or significant internal control deficiencies. Key CRM-DMS risks, mitigating controls, and audit considerations include data input, discount policy, and access and security. Internal auditors need to understand these risks and controls so they can ensure internal control effectiveness and help their organization comply with Sarbanes-Oxley provisions.