PowerPoint

Governance and Compliance

Peter Coffee, salesforce.comPaul Schmitter, RiskMetrics Group Inc.Robert Hirth, Protiviti Inc.

Track: Executive Insight

Safe Harbor Statement

“Safe harbor” statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements including but not limited to statements concerning the potential market for our existing service offerings and future offerings. All of our forward looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions proves incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements we make.

The risks and uncertainties referred to above include - but are not limited to - risks associated with possible fluctuations in our operating results and cash flows, rate of growth and anticipated revenue run rate, errors, interruptions or delays in our service or our Web hosting, our new business model, our history of operating losses, the possibility that we will not remain profitable, breach of our security measures, the emerging market in which we operate, our relatively limited operating history, our ability to hire, retain and motivate our employees and manage our growth, competition, our ability to continue to release and gain customer acceptance of new and improved versions of our service, customer and partner acceptance of the AppExchange, successful customer deployment and utilization of our services, unanticipated changes in our effective tax rate, fluctuations in the number of shares outstanding, the price of such shares, foreign currency exchange rates and interest rates.

Further information on these and other factors that could affect our financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings we make with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of our website at www.salesforce.com/investor. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.

Peter CoffeeDirector, Platform Research

Enterprise IT pros recognize the challenge

Only 28 per cent of organizations are “confident” that

they are “fully compliant” (ControlPath)

Estimated cost per corporation of Sarbanes-Oxley

compliance averages $16 million per year

Technology trends oppose governance goals– Cheaper processing cracks crypto cost-effectively

– Greater connectivity expands and complicates threat space

– Growing storage volume outpaces storage management

Cloud computing models offer assistance

Multi-tenant systems spread costs across large base of

customers rather than requiring separate certifications

Metadata-based customization and configuration of

multi-tenant systems drastically shrinks attack surface

SaaS/PaaS contract officers and CFOs can focus risk

assessment and remediation– Fewer responsible parties

– Clear statements of requirements and consequences

Paul SchmitterHead of Process Management

All About RiskMetrics Group Inc.

RiskMetrics Group is a leading provider of risk management and corporate governance products and services to participants in global financial markets, enabling clients to better understand and manage the risks associated with their financial holdings, provide greater transparency to their internal and external constituencies, satisfy regulatory and reporting requirements and make more informed investment decisions.

• INDUSTRY: Financial Services

• EMPLOYEES: 1200

• GEOGRAPHY: Global

• # USERS: 500

• PRODUCT(S) USED: Salesforce CRM Enterprise

Edition

The RiskMetrics Group Story(as it relates to Sarbanes-Oxley Section 404)

We did a major acquisition last year – (maybe you saw my session on merging orgs on Monday)

We listed on the NYSE in January 2008.

We’ve had a major SOx compliance initiative this year.

We are completing testing now.

Why does SOx relate to Salesforce CRM?

If you use Salesforce CRM to manage Sales

information, this is at the front end of your Revenue

Process.

Controls around the Revenue Process are very

important to SOx.

By introducing controls at the front end of this process,

and using salesforce.com's sophisticated capabilities,

you can streamline your SOx compliance project.

Prerequisites

Your Salesforce CRM processes must be connected to

you financial processes in order to implement Revenue

Process Controls in salesforce.com – It helps to have integration with your Accounting/GL System

We use the API to do this - all billing is automatically

generated after approval of an Opportunity and is directly

posted to the Accounting System

If you are re-keying information into your accounting

system, it is much more difficult to implement controls in

Salesforce CRM

Why does Salesforce CRM make SOx compliance easier?

It is much easier to implement a control using a a Field Permission,

Validation Rule, Approval Process, or Workflow Rule than a

manual control.

It is much easier to demonstrate compliance during testing by

running a report than producing a signed spreadsheet from a

paper file.

You can outsource your compliance infrastructure

– You can deflect a lot of inquiries about your IT infrastructure by

pointing to the salesforce.com infrastructure.

– The ability to get a copy of the salesforce.com SAS 70 was

very important to this.

What we had to do

We implemented a change management system for our IT

development team as a custom application.

We reviewed user permissions and did some amount of

tightening them - especially around Opportunity permissions.

We verified controls around– Opportunity matches contract terms.

– Billing matches Opportunity terms

– Revenue recognition matches Opportunity terms

– Regular Reconciliation of Billing and revenue recognition from Sales

Information.

Relevant Functionality

User Permissioning– The flexible, role based, user permissioning in salesforce.com allowed

us to quickly restrict access of a particular control point only to the

appropriate people.

– The ability to report on User Permissions is helpful to demonstrate

testability of controls.

Audit Trails– It was very useful to be able to produce audit trails of changes to

Opportunity and our related Invoice Custom Object in reports.

– Opportunity field history was completely inadequate for this purpose

until the Summer 08 release.

Relevant Functionality

Approval Processes– We used Approval Processes for our change management

system to show approval of changes.

Record Retention– Records are retained indefinitely, and older records are as

easy to access as newer records.

Relevant Functionality

Workflow Rules– Used extensively for various notifications and automations. We

used Workflow more than Approval Processes

Reporting– User Permissions

– Audits to Opportunity Changes

– Change Management custom Object

Web Services API– We used this to implement integration with our

Finance/Accounting System

Problems

It can be difficult to get a copy of the salesforce.com

SAS 70.

Approval processes can be cumbersome to implement.

Opportunity field history was inadequate for producing a

full audit trail of Opportunity changes until the Summer

08 release.

Manage. Share. Build. – Apply what you’ve learned

You can implement SOx controls in Salesforce CRM IF

it is properly connected to your Finance processes.

Salesforce CRM functionality is useful for implementing

SOx related controls.

Salesforce CRM reporting functionality is useful for

testability of controls.

Robert HirthExecutive Vice President

Global Internal Audit

Protiviti is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance, risk and compliance. Protiviti’s professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.

• INDUSTRY: Professional Services

• EMPLOYEES: >3,300 in >60 offices in 16 countries

• # USERS: 1,050

• PRODUCT(S) USED: Customforce; Salesforce CRM

All About Protiviti Inc.

Protiviti faced many challenges when founded, including:

– Converting to being part of a public company

– Growing significantly while keeping compliant and managing capital and IT cost

– Meeting any and all legal requirements in 16 countries AND staying connected globally

– Meeting rules and policies established internally and by our parent company and our new Operating Committee

– Winning in the Marketplace

Challenges

Attracting, retaining and developing the best talent for our company

Attracting, retaining and growing our client base

Meeting and converting clients

Managing risk, pipeline and client satisfaction

Sharing contact and account information effectively

Business & Process Drivers: People, Clients, Growth

Address main business challenges with an easy to use, flexible application

Use of Salesforce CRM has expanded to encompass the following areas:

– Recruiting and Tracking Employees

– Client Setup and Engagement Risk Assessment

– Contact Management

– Sales and Pipeline Management

– Client Satisfaction

– Enhancing Visibility and Yield for Marketing

Protiviti’s Use of Salesforce CRM

Protiviti built a custom recruiting application, RecruitForce– address compliance requirements– provide management level reporting about status and progress of

prospective applicants

Specific solution enables the following:– HR compliance reporting– Management reporting– Online resume submission– Standardized processes for applicant tracking and follow up

Recruiting and Tracking Employees

RecruitForce – Job Record

© 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party.

Each project team must assess relative risks associated with a client

before accepting a consulting engagement

Technology team at Protiviti extended salesforce.com to build out the

risk assessment tool, criteria and approval process into the application

This solution has enabled the following benefits:

– Increased compliance with internal policies

– Reduced effort and consistent approach for new engagements

– Management reporting for identification of high risk projects

– Better risk management and client acceptance results

Client Setup and Engagement Risk Assessment

Explosive growth in internet and email marketing– Compliance necessitates the consistent handling and tracking of contact information– Most important aspect: managing email opt-in/out preferences.

Protiviti has integrated salesforce.com with website and eMarketing engine– Ensure compliance and adherence to “opt-out” requests– Enables achievement of:

• Consolidated marketing database, synch’d with Outlook

• Ability to manage opt-in/opt-out preferences

• Use of “add-on” point solutions to manage contact campaigns

• Increased collaboration of sales and account teams

• Contacts’ information staying with the enterprise

Contact Management

• Wholly owned subsidiary of Robert Half Int’l Inc.

• A publicly traded company

• Necessitated process for forecasting future business

• Input from sales/pipeline management components of Salesforce

CRM

• Results included:

• Compliance with quarterly forecasting requirements from parent company

• Greater visibility to our own business and future

• Consolidated management reporting on a global basis

• Significant time savings from the manual consolidation of various

spreadsheets - NO SPREADSHEETS

Sales & Pipeline Management

Executive Dashboard – Win/Loss Analysis

• Client satisfaction important in assessing project team• Protiviti utilizes salesforce.com to facilitate client

satisfaction surveys, enabling:

• Easy mechanism to execute and capture the survey results

• Ability to easily share results with the engagement team and management

• Enables compliance with our internal policies around client satisfaction

• Integrated into incentive compensation scoring

Client Satisfaction

Customer Satisfaction Survey

Session FeedbackLet us know how we’re doing and enter to win an iPod nano!

Please score the session from 5 to 1 (5=excellent,1=needs improvement) in the following categories: Overall rating of the session

Quality of content

Strength of presentation delivery

Relevance of the session to your organization

Additionally, please fill in the name of each speaker & score them on overall delivery.

We strive to improve, thank you for filling out our survey.

Peter CoffeeDirector, Platform Research

Paul SchmitterHead of Process Management

Robert HirthExecutive Vice PresidentGlobal Internal Audit

Q&A