Customer relationship management: risks and controls; Built to better serve customers and increase sales, CRM database systems need specific controls to mitigate the associated risks

Internal Auditor, Dec, 2004 by George R. Aldhizer, III, James D. Cashell

According to a June 2003 Consumer Reports survey of several hundred U.S. consumers, 28 percent reported call center communications problems. Within this group, 63 percent complained that the call center staff's English was limited or very hard to understand.

MULTIPLE CENTERS: ELECTRONIC LINKAGE PROCEDURES

The call center audit also should include an evaluation of procedures that ensure seamless links across multiple call centers. For example, if Center A experiences a call overflow, do the calls get re-routed to Center B where there is excess capacity? Auditors should evaluate the controls that ensure the security and integrity of data transmissions between call centers to handle such overflow situations.

In more extreme cases, a call center may be so inundated with calls due to a denial of service attack or a virus infestation that the CRM-DMS is forced to shut down temporarily. If the organization does not have a business continuity plan in place that has been communicated to all call center employees, it will take longer to restore call center operations. During this downtime, not only are revenues lost in the short run, but also frustrated customers may take their business elsewhere in the long run. Free Internet tools (www.bostonpcnetworking.com/downtimecostcalc.htm) are available to assist companies in estimating the cost of DMS downtime on a per-hour basis.

Unfortunately, about 75 percent of U.S. organizations experience some sort of unexpected delay in the availability of their DMS each year; however, organizations whose comprehensive business continuity plans include "hot sites" that are tested at least once a year are much more likely to be able to switch over to these backup systems quickly without any interruption of service. Companies such as Akamai Technologies Inc. specialize in providing clients like Microsoft with dozens of globally dispersed "hot site" locations. Unfortunately, Akamai's DMS crashed recently because of deficient architectural security controls. As a result, many of its client DMSs, including Microsoft, also crashed for several hours.

ENSURING CRM SUCCESS

CRM is an emerging business concept that internal auditors need to be aware of so that they can help ensure that CRM-related business objectives are achieved. The advantages of CRM are its ability to enhance customer satisfaction and increase revenues. It does this by providing real-time integration of all business processes that have direct interaction with customers. This helps ensure that accounting, marketing, call center agents, and sales representatives are getting the information they need to do their jobs effectively and efficiently.

Although CRM-DMS offers clear advantages, it also encompasses significant risks, which internal auditors are well-suited to address. Specifically, CRM has a direct and significant impact on the financial statement revenues reported by an organization. As a result, it is important to ensure that data input, sales discount policies, and access and security risks are identified and controlled. This is critical for organizations that are subject to Sarbanes-Oxley, because the CRM-DMS could be a source of material internal control weaknesses or significant internal control deficiencies.