Governance and Compliance Peter Coffee, salesforce.com Paul Schmitter, RiskMetrics Group Inc. Robert Hirth, Protiviti Inc. Track: Executive Insight
Governance and Compliance
Peter Coffee, salesforce.comPaul Schmitter, RiskMetrics Group Inc.Robert Hirth, Protiviti Inc.
Track: Executive Insight
Safe Harbor Statement
“Safe harbor” statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements including but not limited to statements concerning the potential market for our existing service offerings and future offerings. All of our forward looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions proves incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements we make.
The risks and uncertainties referred to above include - but are not limited to - risks associated with possible fluctuations in our operating results and cash flows, rate of growth and anticipated revenue run rate, errors, interruptions or delays in our service or our Web hosting, our new business model, our history of operating losses, the possibility that we will not remain profitable, breach of our security measures, the emerging market in which we operate, our relatively limited operating history, our ability to hire, retain and motivate our employees and manage our growth, competition, our ability to continue to release and gain customer acceptance of new and improved versions of our service, customer and partner acceptance of the AppExchange, successful customer deployment and utilization of our services, unanticipated changes in our effective tax rate, fluctuations in the number of shares outstanding, the price of such shares, foreign currency exchange rates and interest rates.
Further information on these and other factors that could affect our financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings we make with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of our website at www.salesforce.com/investor. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.
Peter CoffeeDirector, Platform Research
Enterprise IT pros recognize the challenge
Only 28 per cent of organizations are “confident” that
they are “fully compliant” (ControlPath)
Estimated cost per corporation of Sarbanes-Oxley
compliance averages $16 million per year
Technology trends oppose governance goals– Cheaper processing cracks crypto cost-effectively
– Greater connectivity expands and complicates threat space
– Growing storage volume outpaces storage management
Cloud computing models offer assistance
Multi-tenant systems spread costs across large base of
customers rather than requiring separate certifications
Metadata-based customization and configuration of
multi-tenant systems drastically shrinks attack surface
SaaS/PaaS contract officers and CFOs can focus risk
assessment and remediation– Fewer responsible parties
– Clear statements of requirements and consequences
Paul SchmitterHead of Process Management
All About RiskMetrics Group Inc.
RiskMetrics Group is a leading provider of risk management and corporate governance products and services to participants in global financial markets, enabling clients to better understand and manage the risks associated with their financial holdings, provide greater transparency to their internal and external constituencies, satisfy regulatory and reporting requirements and make more informed investment decisions.
• INDUSTRY: Financial Services
• EMPLOYEES: 1200
• GEOGRAPHY: Global
• # USERS: 500
• PRODUCT(S) USED: Salesforce CRM Enterprise
Edition
The RiskMetrics Group Story(as it relates to Sarbanes-Oxley Section 404)
We did a major acquisition last year – (maybe you saw my session on merging orgs on Monday)
We listed on the NYSE in January 2008.
We’ve had a major SOx compliance initiative this year.
We are completing testing now.
Why does SOx relate to Salesforce CRM?
If you use Salesforce CRM to manage Sales
information, this is at the front end of your Revenue
Process.
Controls around the Revenue Process are very
important to SOx.
By introducing controls at the front end of this process,
and using salesforce.com's sophisticated capabilities,
you can streamline your SOx compliance project.
Prerequisites
Your Salesforce CRM processes must be connected to
you financial processes in order to implement Revenue
Process Controls in salesforce.com – It helps to have integration with your Accounting/GL System
We use the API to do this - all billing is automatically
generated after approval of an Opportunity and is directly
posted to the Accounting System
If you are re-keying information into your accounting
system, it is much more difficult to implement controls in
Salesforce CRM
Why does Salesforce CRM make SOx compliance easier?
It is much easier to implement a control using a a Field Permission,
Validation Rule, Approval Process, or Workflow Rule than a
manual control.
It is much easier to demonstrate compliance during testing by
running a report than producing a signed spreadsheet from a
paper file.
You can outsource your compliance infrastructure
– You can deflect a lot of inquiries about your IT infrastructure by
pointing to the salesforce.com infrastructure.
– The ability to get a copy of the salesforce.com SAS 70 was
very important to this.
What we had to do
We implemented a change management system for our IT
development team as a custom application.
We reviewed user permissions and did some amount of
tightening them - especially around Opportunity permissions.
We verified controls around– Opportunity matches contract terms.
– Billing matches Opportunity terms
– Revenue recognition matches Opportunity terms
– Regular Reconciliation of Billing and revenue recognition from Sales
Information.
Relevant Functionality
User Permissioning– The flexible, role based, user permissioning in salesforce.com allowed
us to quickly restrict access of a particular control point only to the
appropriate people.
– The ability to report on User Permissions is helpful to demonstrate
testability of controls.
Audit Trails– It was very useful to be able to produce audit trails of changes to
Opportunity and our related Invoice Custom Object in reports.
– Opportunity field history was completely inadequate for this purpose
until the Summer 08 release.
Relevant Functionality
Approval Processes– We used Approval Processes for our change management
system to show approval of changes.
Record Retention– Records are retained indefinitely, and older records are as
easy to access as newer records.
Relevant Functionality
Workflow Rules– Used extensively for various notifications and automations. We
used Workflow more than Approval Processes
Reporting– User Permissions
– Audits to Opportunity Changes
– Change Management custom Object
Web Services API– We used this to implement integration with our
Finance/Accounting System
Problems
It can be difficult to get a copy of the salesforce.com
SAS 70.
Approval processes can be cumbersome to implement.
Opportunity field history was inadequate for producing a
full audit trail of Opportunity changes until the Summer
08 release.
Manage. Share. Build. – Apply what you’ve learned
You can implement SOx controls in Salesforce CRM IF
it is properly connected to your Finance processes.
Salesforce CRM functionality is useful for implementing
SOx related controls.
Salesforce CRM reporting functionality is useful for
testability of controls.
Robert HirthExecutive Vice President
Global Internal Audit
Protiviti is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance, risk and compliance. Protiviti’s professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.
• INDUSTRY: Professional Services
• EMPLOYEES: >3,300 in >60 offices in 16 countries
• # USERS: 1,050
• PRODUCT(S) USED: Customforce; Salesforce CRM
All About Protiviti Inc.
Protiviti faced many challenges when founded, including:
– Converting to being part of a public company
– Growing significantly while keeping compliant and managing capital and IT cost
– Meeting any and all legal requirements in 16 countries AND staying connected globally
– Meeting rules and policies established internally and by our parent company and our new Operating Committee
– Winning in the Marketplace
Challenges
Attracting, retaining and developing the best talent for our company
Attracting, retaining and growing our client base
Meeting and converting clients
Managing risk, pipeline and client satisfaction
Sharing contact and account information effectively
Business & Process Drivers: People, Clients, Growth
Address main business challenges with an easy to use, flexible application
Use of Salesforce CRM has expanded to encompass the following areas:
– Recruiting and Tracking Employees
– Client Setup and Engagement Risk Assessment
– Contact Management
– Sales and Pipeline Management
– Client Satisfaction
– Enhancing Visibility and Yield for Marketing
Protiviti’s Use of Salesforce CRM
Protiviti built a custom recruiting application, RecruitForce– address compliance requirements– provide management level reporting about status and progress of
prospective applicants
Specific solution enables the following:– HR compliance reporting– Management reporting– Online resume submission– Standardized processes for applicant tracking and follow up
Recruiting and Tracking Employees
RecruitForce – Job Record
© 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party.
Each project team must assess relative risks associated with a client
before accepting a consulting engagement
Technology team at Protiviti extended salesforce.com to build out the
risk assessment tool, criteria and approval process into the application
This solution has enabled the following benefits:
– Increased compliance with internal policies
– Reduced effort and consistent approach for new engagements
– Management reporting for identification of high risk projects
– Better risk management and client acceptance results
Client Setup and Engagement Risk Assessment
Explosive growth in internet and email marketing– Compliance necessitates the consistent handling and tracking of contact information– Most important aspect: managing email opt-in/out preferences.
Protiviti has integrated salesforce.com with website and eMarketing engine– Ensure compliance and adherence to “opt-out” requests– Enables achievement of:
• Consolidated marketing database, synch’d with Outlook
• Ability to manage opt-in/opt-out preferences
• Use of “add-on” point solutions to manage contact campaigns
• Increased collaboration of sales and account teams
• Contacts’ information staying with the enterprise
Contact Management
• Wholly owned subsidiary of Robert Half Int’l Inc.
• A publicly traded company
• Necessitated process for forecasting future business
• Input from sales/pipeline management components of Salesforce
CRM
• Results included:
• Compliance with quarterly forecasting requirements from parent company
• Greater visibility to our own business and future
• Consolidated management reporting on a global basis
• Significant time savings from the manual consolidation of various
spreadsheets - NO SPREADSHEETS
Sales & Pipeline Management
Executive Dashboard – Win/Loss Analysis
• Client satisfaction important in assessing project team• Protiviti utilizes salesforce.com to facilitate client
satisfaction surveys, enabling:
• Easy mechanism to execute and capture the survey results
• Ability to easily share results with the engagement team and management
• Enables compliance with our internal policies around client satisfaction
• Integrated into incentive compensation scoring
Client Satisfaction
Customer Satisfaction Survey
Session FeedbackLet us know how we’re doing and enter to win an iPod nano!
Please score the session from 5 to 1 (5=excellent,1=needs improvement) in the following categories: Overall rating of the session
Quality of content
Strength of presentation delivery
Relevance of the session to your organization
Additionally, please fill in the name of each speaker & score them on overall delivery.
We strive to improve, thank you for filling out our survey.
Peter CoffeeDirector, Platform Research
Paul SchmitterHead of Process Management
Robert HirthExecutive Vice PresidentGlobal Internal Audit
Q&A