Risks of Customer Relationship Management—A Security, Control and Audit Approach - Forward 


Risks of Customer Relationship Management—A Security, Control and Audit Approach


Customer relationship management is a hot topic that many organizations are currently addressing. But, what exactly is it? At its simplest definition it is the group of systems, processes, applications and technologies surrounding the sales, marketing and customer service areas of an organization.

What Is Customer Relationship Management?

Customer relationship management (CRM) is a paradigm shift of strategic, process, organizational and technical change whereby an organization seeks to better manage the business around customer interactions. It is about transformation to become market-intelligent (e.g., an organization that can quickly respond to and react to changing market conditions) to achieve revenue and profit growth and operational efficiencies. CRM entails acquiring and deploying knowledge of customers and using this information across every area of business that touches the customer.

The philosophy of better customer relationship management is to improve customer centricity in one or more fronts such as: increase revenue or sales, improve customer service, increase customers' intimacy, improve efficiency/reduce costs, solidify customer loyalty and gain market share, while ultimately improving profits and shareholder value.

Organizations that have embraced the messages of customer centricity by putting the customer in the center of the organization and building the business models around the customer have had to endure a great amount of change, including new technologies, new processes to include more teaming, new sharing of information, new organizational structures, new reward systems, new business rules and new channels. These changes bring to the organization significant risks, such as privacy, security, data management, integration, channel management and sales, marketing or customer service processes.

This book is written to provide a reference for the information systems auditor. The information is based on experience gathered while providing service to clients, global research conducted with system auditors and the viewpoints of software providers, consultants and e-business vendors. The book discusses the strategic value of customer relationship management and helps auditors and IT professionals understand the impact CRM will have on the organization and how to control the risks.

You can play a key part in the success of customer relationship management within your organization whether it is in preventing a bad outcome by mitigating a potential risk or by helping an intended outcome happen by addressing or implementing a control that further ensures its success. Either way, you will be adding value in achieving the overall plan. Carrying out this role takes preparation.

PwC professionals already have successfully used the concepts of this book when applying services, and we hope you can use them as successfully within your organization. Many of the technology components may currently be under review for some time. For individuals already addressing these areas, this book provides a sounding board to compare what you are doing today and how it compares to your practices. Others will find the book to be preeminently a "what-to-do and how-to-do-it" publication. It includes a brief description of each area, a discussion of the risks that relate to the subject matter and a suggested work program to address the risks identified. Those without previous exposure to customer-facing or front office systems and audits will find value in the understanding and analysis each section provides.

The work program at the back of each chapter provides a valuable tool to the reader. However, it needs some cautionary words of introduction. For example, CRM applications can be used for a variety of purposes, and some organizations may implement only part of full CRM functionality during each implementation. Many of the controls and risk management activities require judgment-particularly those that involve the operation of the sales, marketing and customer service teams and the way in which those teams are rewarded and motivated. Yet soft controls in a CRM implementation are equally important-without them the project is doomed to failure.

In essence, any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the text as part of their preparation. You should not use the work program as a checklist of best practice. Rather use it as a selection of examples of good practice that can be applied. By using the work programs blindly, you may risk losing the confidence of the auditee and even miss the largest risks in the project, due to the peculiarities of your project. Therefore, use the work programs as guidance, but add your own knowledge of the organization and your specific risks.

This book was truly a group effort. Several folks need to be acknowledged including the Research Board at ISACF, especially Michael Ward, those who contributed to the survey and research, and those who wrote content for the book, including Michele McLaughlin and the PricewaterhouseCoopers LLP team.

David Erickson
PricewaterhouseCoopers LLP
Global Risk Management Solutions Partner