crm work programs

Information Systems Audit and Control Association www.isaca.org

Systems Audit and Control Association & FoundationRisks of Customer Relationship

ManagementA Security, Control and Audit Approach

Audit Work Programs

Information Systems Audit and Control Association

With more than 28,000 members in more than 100 countries, the Information Systems Audit and Control Association

(ISACA®) (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal™, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor™ (CISA®) designation earned by more than 34,000 professionals since inception, and Certified Information Security Manager (CISM™) designation, a groundbreaking credential earned by 5,000 professionals in its first two years.

IT Governance Institute™The IT Governance Institute (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.

Purpose of Audit Programs and Internal Control QuestionnairesOne of ISACA’s goals is to ensure that educational products support member and industry information needs. Responding to member requests for useful audit programs, ISACA’s Education Board has released audit programs and internal control questionnaires for member use through K-NET. These check lists were developed for a recently released publication Risks of Customer Relationship Management A Security, Control and Audit Approach available in the ISACA bookstore.

Control Objectives for Information and related TechnologyControl Objectives for Information and related Technology (COBIT®) has been developed as a generally applicable and accepted standard for good information technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners. These audit work programs reference key COBIT control objectives.

DisclaimerITGI, ISACA and the author of this document have designed the publication primarily as an educational resource for control professionals. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/her own professional judgment to the specific control circumstances presented by the particular systems or information technology environment. Users are cautioned not to consider these audit programs and internal control questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization’s constraints, policies, practices and operational environment.

© Copyright IT Governance Institute 2003 www.isaca.org/auditprograms 1

http://www.isaca.org/cobit.htm

http://www.isaca.org/cobit.htm

Table of Contents

Audit Work Programs1. Sales Risks2. Marketing Risks3. Customer Interaction Center and Field Service Risks 4. Data Management Risks5. Integration Risks6. Channel Management and Integration Risks7. Telecommunication Infrastructure Risks8. Security Risks9. Project Management Risks10. Benefit Realization 11. Organizational Change Management 12. Privacy Risks


1. Sales Risks Work Program

The following work program will help address the sales risks within the organization. Those auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance with the specific knowledge of the organization and risks added to them.

Note: A business objective may be listed more than once because it has multiple risks and corresponding control objectives. Note disclaimer.

BusinessObjective

Risk Control Comments/ Results/W/P Ref.

COBIT Reference

Sales Strategy and ManagementThe sales strategy plans for current and future market conditions.

The organization may not appropriately anticipate and plan for changes in market conditions.

Market intelligence on current and future market conditions is gathered and factored into the development of sales strategies.

PO1PO3

An integrated sales strategy is adopted throughout the entire organization.

Individual departments within the organization may pursue conflicting and counter-productive sales strategies.

Communication exists between all key departments to ensure that all relevant input is incorporated into setting the strategic direction.

The sales strategy is communicated to all sales personnel.

The sales personnel are enticed to act in accordance with the overall sales strategy via sales metrics and incentives.

PO6PO11M1


BusinessObjective


COBIT Reference

The organization develops long-term and profitable customer relationships.

The organization may pursue near-sighted relationships and unprofitable customers.

Procedures and incentives for sales personnel focus on building long-term relationships with customers.

Management commits appropriate resources to the development of long-term customer relationships.

Customer profitability is measured and factored into customer strategies.

PO6 M1

Sales personnel are motivated to achieve sales goals and targets.

Sales goals and targets may not be met.

Both financial and nonfinancial motivational techniques and incentives are used to reward and encourage positive behavior that aligns with the organization’s sales strategy.

Realistic sales goals and targets are created at the organizational level and also at an individual level for each sales person.

Progress against sales goals and targets is measured on a periodic basis and feedback is provided on an organizational level and individual level.

PO7M1

Sales personnel work together as a team.

Information may not be shared across the sales team.

Conflicting behavior within the team may exist.

There may be loss of revenue.

Participation in team-based selling is encouraged within the organization and is part of each sales person’s performance assessment criteria.

PO10


BusinessObjective


COBIT Reference

Reward criteria for sales personnel are in alignment with the organization’s overall strategic direction.

Sales personnel actions may be focused on short-term goals (e.g., quick sales) rather than long-term strategic goals (e.g., building customer relationships and long-term profitable customers).

Sales personnel rewards are set to motivate performance that is consistent with corporate sales objectives.

Staff actions are monitored to detect incongruent sales activities.

PO7

Roles and responsibilities are segregated to increase selling efficiency.

Sales personnel may spend too much time on noncustomer-facing administration, reducing the time spent engaged in sales-related activities.

The organizational structure is designed to provide a clear division between sales personnel and support personnel.

The support personnel are effectively utilized to reduce the amount of administrative time for sales personnel.

PO4

The organizational structure reflects the segmentation of key customer market segments.

Sales resources may be misdirected.

The sales organizational structure is designed to reflect the segmentation of key customer markets and is continually reevaluated as markets evolve.

PO1

Information about customers is disseminated effectively throughout the organization.

Interdepartmental communication may be limited and may impact the organization’s ability to share knowledge across all customer touchpoints.

Sales personnel work in teams that cross departmental boundaries to facilitate knowledge sharing and effective communication about all critical interactions for a given customer account.

PO11


BusinessObjective


COBIT Reference

Sales channels are complementary.

Channel conflicts may lead to wasted resources and missed sales opportunities.

Sales channels have clearly defined boundaries.

All channel conflicts are identified and resolved to gain efficiencies, allow effective multi-channel integration, and increase revenue and customer satisfaction.

Performance metrics are based on a balanced scorecard (e.g., recognizing sales made for other channels) so that channels are working together rather than competing.

PO1M1

Succession strategies minimize the impact of employee turnover.

Lack of succession planning could result in a failure to retain intellectual capital and customer contacts in the event of sales personnel turnover, which is typically very high.

A succession plan is in place for all key roles or responsibilities within the sales organization.

PO7


BusinessObjective


COBIT Reference

Profitability is regularly monitored.

Potential profitability and value may not be understood for major accounts, territories, locations and divisions.

Sales managers regularly assess profitability by major accounts, territories, and locations/divisions within the organization and the results are communicated to all relevant sales personnel and management.

Reports on margin per customer are a regular activity to improve profitability on low margin customers (or to cease trading with those customers).

PO6DS6M1

Account plans are developed to determine sales effort and investment.

Inappropriate targeting and budgets may be made for key accounts.

Account plans are developed, and they include profitability and forecast information to assist in compiling budgets for key account targeting activities.

Cost of targeting and managing the account should be measured.

DS11

Revenue and product forecasts are updated in a timely manner.

Inaccurate revenue and product forecasts may be made.

Revenue and product forecasting information is regularly updated and reflects the latest market trends.

Significant deviations from the original forecast are investigated to understand the impact.

DS6PO9

Compensation plans are in alignment with corporate sales objectives.

There may be an inability to motivate sales personnel to achieve corporate sales goals.

The sales compensation plan is designed to reward sales performance in alignment with corporate sales objectives.

The sales personnel are motivated to achieve corporate sales goals and objectives.

PO11


BusinessObjective


COBIT Reference

The sales force receives appropriate training to develop their sales skills.

Ineffective sales skills may not be addressed.

Lack of understanding of sales strategy, goals and objectives may not be addressed.

Lack of understanding of organization background, product information and organization policies may not be addressed.

Appropriate training resources are available to ensure sales personnel have the necessary skills to sell and build profitable customer relationships.

Sales personnel are provided regular training.

Sales curriculum is developed in conjunction with sales management on current topics, policies, strategies, etc.

PO7PO10

Sales performance is actively monitored.

Difficulty in identifying performance trends or problems may occur.

There may be an inability to respond quickly to changing market conditions.

Sales performance is regularly monitored to assess sales personnel performance, trends for market segments, sales personnel and key customer accounts.

Key Performance Indicators (KPIs) including margin analysis and customer satisfaction ratings, are monitored to actively manage the sales process.

M1AI6

Identify and Qualify Opportunities


BusinessObjective


COBIT Reference

Sales management supports sales goals and objectives.

Ineffective sales teams or wasted resources in opportunities that are not in alignment with sales goals and objectives may occur.

Lost opportunities may occur.

The performance of sales management is linked to sales goals and objectives.

Sales personnel are evaluated and remunerated against the sales objectives.

Sales opportunities are linked to the sales goals and objectives to ensure that they are in alignment with sales goals and objectives before time and resources are spent pursing the opportunities.

DS1

Markets and customer segments are appropriately targeted.

Inappropriate market segments may be targeted.

The sales organization may not focus enough effort on the most profitable accounts.

Key market segments are analyzed and the most profitable accounts identified.

Sales efforts are focused where they will have the greatest results.

PO11DS1DS8

Accurate and complete market segment data are available to sales personnel.

Uninformed decisions about where to focus sales efforts may be made.

Market segment data are collated in a central repository that is accessible to relevant sales personnel.

Market segment data are accurate, complete and updated on a timely basis.

DS7DS8

Sales channels are regularly evaluated for viability.

Changing sales channels may not be identified, which may result in lost sales opportunities.

Sales channels are regularly re-evaluated to reflect changes in market conditions and customer demand.

M1


BusinessObjective


COBIT Reference

Sales opportunities are recorded completely, promptly and accurately.

Lost sales opportunities may occur.

Incomplete or invalid sales opportunity information may be obtained.

All sales opportunities are identified and recorded in a timely manner so that the sales team and management are aware of all potential opportunities.

Key dates are recorded to prioritize more immediate opportunities and also ensure stale opportunities are removed from the list.

Experienced sales personnel identify opportunities and make assumptions on the basis of the information identified.

A centralized information repository is used to assist in the accurate identification of sales opportunities.

The CRM application requires key fields to be entered before allowing the opportunity to be saved.

Data entry is reviewed for reasonableness.

DS9DS11PO2AI2

Only viable opportunities are pursued.

Leads may be incorrectly classified and, therefore, sales opportunities result in wasted sales efforts.

Leads/potential sales opportunities are analyzed prior to being pursued.

PO2

Sales opportunities are only recorded once.

Duplicate sales opportunities may be recorded.

Distortion of the sales pipeline/ forecast may occur.

Sales personnel search for existing opportunities before entering a new opportunity.

System controls identify potential duplicate records.

DS9


BusinessObjective


COBIT Reference

All sales opportunities are appropriately evaluated.

Valid sales opportunities may not be pursued.

Invalid sales opportunities may be pursued.

Lessons learned may not be captured to better identify and quality opportunities.

Management reviews dismissed sales opportunities for appropriateness, lessons learned, etc.

Formal criteria are used to analyze each opportunity and perform an objective assessment of whether to pursue the opportunity. The criteria should include a cost-benefit analysis of the opportunity.

Opportunities are assessed against the formalized criteria before being rejected or accepted.

Reasons are captured for rejected opportunities.

High-level deadlines and action plans are developed for qualified sales opportunities.

PO6PO9AI4

All required information is available to assist with qualifying an opportunity.

Information necessary to qualify a sales opportunity may not be available.

Comprehensive sales opportunity data are stored within the CRM system.

Information is available to qualify sales.

DS9PO2

Customer history is used to predict future buying patterns.

Customer buying history may not be available to assist in analyzing sales opportunities

The CRM tracks customer transaction history and makes this information readily available during opportunity analysis.

DS3


BusinessObjective


COBIT Reference

Sales opportunities are accurately qualified.

Sales opportunities may not be accurately qualified or quantified.

The risks inherent to opportunities may not be correctly assessed, resulting in incorrect decisions to pursue opportunities.

Experienced sales personnel are responsible for qualifying and quantifying opportunities according to established guidelines.

The risks associated with opportunities are identified, documented and factored into the assessment of opportunities.

Clear rules on qualifying sales opportunities are set down and all employees are made aware of them.

DS3PO9PO10

The value of sales opportunities is accurately recorded.

Sales personnel may inflate opportunity values to meet personal objectives

Opportunity estimates are reviewed periodically and validated.

Estimated revenues are compared against actual revenues on a periodic basis. The comparison is used to provide more realistic revenue estimates for future opportunities.

DS11AI1

Pursuing Qualified Opportunities and Submitting Proposals


BusinessObjective


COBIT Reference

The appropriate sales personnel pursue sales opportunities in a timely manner.

Sales opportunities may not be distributed and pursued in a timely manner.

Sales opportunities may not be assigned to the correct sales personnel.

The CRM system workflow routines or manual procedures route sales opportunities to the correct sales people in a timely manner.

Procedures are in place to ensure the timely follow-up of all opportunities.

Staff review sales opportunities in a timely manner and communicate any issues with the routing of sales opportunities.

Realistic action plans are assigned to opportunities, with the responsibilities clearly defined.

PO3PO11AI4

Customer requirements are confirmed.

Customer requirements may be misunderstood.

Procedures are in place for identifying, verifying, clarifying and modifying customer requirements.

Requirements are reviewed to determine if they can be met by the organization.

Procedures exist for communicating and resolving unfulfilled requirements with the customers.

Once finalized, customer requirements are documented in the CRM system for all sales personnel to reference.

AI4PO11


BusinessObjective


COBIT Reference

Customer requirements are realistic.

Unrealistic customer requirements may lead to the organization’s inability to deliver, resulting in an unsatisfied customer and potentially the loss of the sales opportunity.

There are systems and procedures in place to validate customer requirements (e.g., delivery dates, product/service needs) prior to customer confirmation.

PO11AI4DS3

The customer is offered the correct/complete product/service.

Customers may not be offered the correct product/service or the complete solution to their needs.

Products/services data are available and are accurate and complete.

Guidance is distributed for helping sales personnel identify solutions to meet the customers’ needs.

DS8

Up-selling and cross-selling opportunities are identified.

Opportunities to up-sell/cross-sell products/services to the customer may not be identified or pursued.

Sales personnel are trained in how to up-sell/cross-sell products/services.

The CRM application automatically suggests potential up-sell/cross-sell opportunities.

DS8

The sales pipeline is actively monitored in a timely manner.

The sales pipeline may not be monitored actively.

Reporting and analysis of the sales pipeline may be unsatisfactory, resulting in lost sales opportunities.

The CRM application provides tools/reports to help management actively monitor the sales pipeline.

Management actively monitors the sales pipelines and tracks opportunities and the action items by date to ensure timely follow-up.

PO1DS13M1


BusinessObjective


COBIT Reference

Resources are allocated to each opportunity according to its size and importance to the organization.

Senior sales personnel may spend too much time on minor opportunities.

Junior sales personnel may pursue major accounts.

The time allocated to pursuing sales opportunities is proportionate to the importance of the account/opportunity.

Junior sales personnel are assigned to minor accounts. When junior sales personnel work on major accounts, a senior sales person oversees all account activities.

Senior sales personnel are allocated to major accounts with smaller accounts handled by junior sales personnel, automated self-service sales functionality or administrative sales support personnel.

PO6DS13

The request for proposal (RFP) is reviewed prior to allocating resources to the preparation of a response.

Customer requirements may be misunderstood.

The RFP is reviewed to determine whether customer requirements are clearly defined and can be met by the organization.

Procedures are in place for identifying, verifying, clarifying and modifying customer requirements.

Procedures exist for communicating and resolving unfulfilled requirements with the customers.

Once finalized, customer requirements are documented in the CRM system for all sales personnel to reference while working on the RFP.

AI1AI4DS3


BusinessObjective


COBIT Reference

Nonstandard quotes are accurately prepared.

Nonstandard quotes may be inaccurately prepared and may not be authorized.

Procedures are in place to guide the preparation and authorization of nonstandard quotes.

Management must review and authorize all nonstandard quotes over a specified threshold.

AI4DS13

Access to create quotes is restricted to authorized personnel.

Quotes may be created or amended by unauthorized personnel that could result in an inappropriate commitment to sell goods or services to customers.

Access to create or maintain quotes in the CRM/sales system is restricted to authorized personnel.

DS5

Quotes are valid for a specified period of time only.

Quotes may be created without a specified time period. Therefore, the organization may be obligated to provide the product/service at a locked price indefinitely into the future which could result in sales at lower than the effective market price.

The CRM application requires the entry of an effective time period for all quotes.

DS5


BusinessObjective


COBIT Reference

Proposals are created accurately and completely.

Proposals may be prepared incompletely or inaccurately. Therefore, they may not address the customers’ needs.

Proposal creation procedures are enforced and stipulate the required information for each type of proposal.

Sales personnel are trained in the preparation of proposals.

A quality review is conducted of proposal in which the proposals are reviewed against the original requirements to ensure that all the customer requirements are met.

AI2DS7

Proposals are created in a timely manner.

Proposals may not be prepared in a timely manner, resulting in forfeited sales opportunities.

Proposal timelines are identified and followed during the creation of proposals.

PO1AI1

The proposal addresses the customer’s requirements.

The proposal may not respond to the RFP or the customer’s requirements.

All proposals are subject to quality review by management before being forwarded to the customer to ensure the original customer requirements are met.

PO8

Products/services are easily distinguished from competitors.

The key reasons why customers should buy from the organization may not be clearly articulated, resulting in a lost sales opportunity.

The CRM application can create comparisons with competitor products.

The key value proposition for buyers is clearly articulated and communicated to sales personnel and customers.

PO6AI1


BusinessObjective


COBIT Reference

Current product pricing and information is available to sales personnel.

Sales personnel may not have access to the latest pricing and product information, which could result in misleading information being supplied to customers.

Pricing and product information is stored in a centralized CRM database and is easily accessed by all authorized sales personnel for use during the sales process.

AI3DS3DS5

The benefits of winning the proposal exceed the cost of proposal preparation.

The cost of preparing the proposal may exceed the profit of the sale.

A cost-benefit analysis is prepared prior to creating proposals to ensure that the sales are profitable.

There are mechanisms to capture the full cost of a bid/proposal

PO6DS1

Proposals are changed only by authorized personnel.

Inappropriate changes may be made to proposals, which may result in inconsistent and inaccurate information being presented to customers.

Only authorized personnel can create or modify proposals.

The CRM application populates pricing and other critical information into the proposal template.

Proposals are reviewed and approved by management.

DS5DS9

Negotiating Terms and Closing Sales


BusinessObjective


COBIT Reference

Customer questions and objections are answered in a timely manner.

Customer questions or objections may not be addressed, resulting in a lost sales opportunity.

Procedures and methodologies exist for answering customer questions and objections.

Sales personnel solicit customer feedback as part of the sales process to identify customer questions and objectives not communicated.

For lost customers there is a process for capturing reasons why the customer ceased trading with the organization. Market research or other independent organizations are employed to interview/discuss issues with the lost customer (control for loss of major accounts only).

DS4DS8AI1

Sales personnel are trained in negotiating and closing sales.

Sales personnel may not be familiar with corporate guidelines for negotiating and closing sales transactions.

Sales personnel are provided with appropriate training for negotiating and closing sales.

Corporate guidelines exist and are communicated to sales personnel for negotiating and closing sales transactions.

DS7AI4

Inactive sales opportunities are closed.

Inactive opportunities may remain open in the pipeline, distorting the sales forecast or diverting sales personnel’s attention from more profitable sales leads.

Procedures enforce the close of inactive leads on a regular basis.

Aged reports of opportunities sorted by customer, salesperson, territory, channel, etc., are available both to clean up old prospects and to identify areas of poor sales performance (i.e., where leads are not being followed up).

AI4M1


BusinessObjective


COBIT Reference

Contract terms and conditions are drafted that are clear and satisfy both parties.

Contract terms and conditions may be misunderstood or disputed by the customer.

Important contractual clauses may be omitted, thereby exposing the organization to significant risk.

Standard contract terms and conditions are prepared and used by sales personnel.

Legal personnel are involved in any unusual contract negotiations.

Only qualified legal personnel make amendments to contracts.

PO4DS1

Processing Sales Orders Sales orders are only processed once.

Duplicate sales orders may be received and/or processed.

Procedures include a search for existing sales orders before the entry of a new sales order.

The CRM system detects potential duplicate sales orders.

DS5DS11

Sales orders are processed in a timely manner.

Sales orders may not be entered into the system in a timely manner, resulting in delays for the customer.

Sales orders are entered promptly when received.

Monitoring controls are in place to analyze the timeliness of order processing.

PO6PO8M1

Orders are created with reference to a quote (if applicable).

Sales orders may not reference the corresponding quotes, which could result in pricing errors or deviations.

Lost revenue or customer dissatisfaction may occur.

The CRM system automatically links the quotes to the sales order, or provides a list of possible quotes from which to reference the sales order.

Procedures govern the creation of sales orders based on quotes, whenever possible.

AI1AI4


BusinessObjective


COBIT Reference

Phone orders are routed to the appropriate personnel.

Phone orders may not be routed to the appropriate personnel.


The system automatically routes the caller to the appropriate sales personnel or appropriate manual procedures exist.

DS11

Customers’ calls are answered promptly.

Customer calls may not be answered and responded to promptly.

Lost business or customer dissatisfaction may occur.

Call wait times are actively monitored and appropriate remedial action taken if wait times exceed a predetermined maximum response time.

M1DS8

Orders are processed accurately and completely.

Incomplete or inaccurate orders may occur.


The sales order processing system is configured to enforce the entry of all required fields necessary to completely process the sales order.

DS9

Open orders and orders in error are corrected in a timely manner.

Open orders and orders that have errors may not process in a timely manner.

Lost sales and customer dissatisfaction may occur.

Open orders and orders with errors are monitored actively by sales personnel.

M1


BusinessObjective


COBIT Reference

Order pricing, discounts and payment terms are approved.

Orders may be processed with unauthorized pricing, discounts or terms of payment.

The CRM application controls customer credit limits.

Changes to pricing, discounts and payment terms require management approval.

Prices may only be changed within pre-established limits. Management must approve all changes outside these limits.

Where ERP and CRM systems interact there is a single process for determining the price (i.e., either the ERP system or the CRM system is used for determining the price).

Regular monitoring of prices is carried out by review of pricing master data and actual margin achieved per order, to identify possible pricing errors (or salesperson override).

AI2DS5DS11M1

Customer orders are controlled by credit limits.

A customer’s credit limit may not be checked prior to order processing which may expose the organization to unnecessary risk of bad debts.

The CRM/sales order system validates that the customer credit limit has not been exceeded prior to processing the order.

Only authorized personnel can override credit limits.

AI2DS5

Processing Internet Sales Orders


BusinessObjective


COBIT Reference

Customers’ personal information is protected.

The privacy of customer information collected on the web site may not be safeguarded, resulting in a loss of customer confidence.

A formal privacy policy governs the treatment of customer personal information.

The privacy policy is communicated to all customers via the web site and has been independently certified (e.g., BetterWeb, CPA WebTrust).

PO6PO8DS11

Internet customers are differentiated to enable unique needs to be met.

Internet customers may not be identified uniquely.

The system is customized to identify Internet users and provide a tailored environment for each customer (e.g., access to order history, favorite links).

Internet procedures are linked into the core business to allow customers the ability to choose their channel preference for returns, future sales, sales support, customer service, etc.

AI2AI4

Internet customers are authenticated.

Web site security may not provide adequate online security.

Compromised customer confidentiality and fraudulent transactions may occur.

Password standards and controls are enforced by the system (e.g., minimum password lengths, disallowed common passwords).

Each Internet session timeouts after a minimum period of inactivity.

DS5


BusinessObjective


COBIT Reference

The web servers can accommodate the anticipated volume of traffic.

Service delays and interruptions may occur.

Server capacity is appropriate for maximum anticipated customer volumes.

Server capacity is constantly monitored to identify potential problems before they occur.

DS1M1

Internet sales initiatives are effective at generating sales with existing customers and for obtaining new customers.

The effectiveness of Internet sales initiatives may not be measured.

The Internet sales channel may not be used to its full potential.

Use of the web site is monitored to assess its effectiveness (e.g., abandon rates, repeat customers).

Feedback is solicited from customers about the web site.

Web site improvement recommendations are prioritized regarding the impact on sales, cost-benefit, etc.

Improvement recommendations are incorporated into the web site to make it a more effective sales channel.

M1AI4AI6DS8

The web site contains comprehensive and up-to-date information on products/services.

Insufficient and inaccurate information about products and services may be available on the web site.

Page links may fail, resulting in customer abandonment.

Content management software is used to ensure that web site product and service data are accurate, complete, current and comprehensive.

All web site links and operations are tested prior to implementation for functionality and stickiness.

DS9AI5


BusinessObjective


COBIT Reference

Web site transactions are valid.

Web site transactions may be not verified or authorized.

Fraudulent transactions may be processed.

Customer credit card details are verified with banks; additional fraud prevention processes are in place.

DS5DS11

Internet orders are processed accurately and completely.

Internet order information may not be complete or accurate.

The CRM application requires key fields to be entered before the order can be saved.

Field validations are performed on key fields.

Reports are monitored to identify incomplete transfer of data from the web site front end to the order processing system.

Order confirmations are sent to customers.

DS5M1

Only valid sales orders are processed via the Internet.

Unauthorized individuals may process Internet orders.

User authentication procedures exist to validate the identity of customers.

Customer payment and address data are validated.

DS5


BusinessObjective


COBIT Reference

Sales orders are processed completely and accurately.

Sales orders may not be processed due to a lost connection during an online session.

Sales order data may be incomplete, resulting in delays in shipping and customer dissatisfaction.

Contact information is provided in the event the customer needs to call about a processing error.

Shopping cart information is maintained to ensure the sales order is completely and accurately captured.

The Internet order entry system requires that all key fields be entered before the order can be submitted.

Customers are notified if any required data are missing.

DS5DS10

Customer credit card data are secured from unauthorized use.

Customer credit card data may not be encrypted, which could result in credit card information being compromised.

Customer credit card information is protected during transmission from the web site by encryption technology (e.g., 128 bit SSL encryption).

Credit card data are stored in a secured encrypted database within the organization and access is restricted to authorized personnel only.

DS5PO8

Sales order data are completely and accurately interfaced to back-office systems.

Delays may occur in shipping and invoicing, increasing the potential for cancelled orders and customer dissatisfaction.

The web site and CRM application are integrated.

Front- and back-office systems are integrated.

Interface monitoring controls ensure the accuracy and completeness of all data transfers between systems.

AI1PO8DS3


BusinessObjective


COBIT Reference

Sales orders are confirmed with the customer.

Sales orders may not be confirmed, which might result in sales order errors remaining undetected, increasing the potential cost of returns.

Sales orders via the Internet are confirmed and a unique order number is provided to the customer, which can be used for tracking the order status.

Management monitors order confirmations and open orders.

DS3M1

Stock availability is confirmed with the customer.

The systems may not provide customers with real-time inventory availability data, which could lead to customer dissatisfaction and loss of repeat business.

The availability of stock to complete the order is provided online to the customer prior to placing the order.

Customers are automatically notified via e-mail or phone when unexpected stock shortages or delays occur.

DS8DS11

Customer sessions are terminated after they have logged out.

If customers do not log out the session, the session may remain active after they have left their terminal.

Unauthorized or fraudulent transactions may occur.

The system terminates the customer’s active session when they select the log out option.

The browser back key cannot be used to gain access to a terminated session.

DS5

Processing Telephone Sales/Telesales


BusinessObjective


COBIT Reference

Telesales strategies are properly communicated to sales personnel.

Telesales strategies may not be properly communicated to sales personnel.

Telesales strategies are formalized, clearly documented, and communicated to all sales personnel.

Strategies include identifying the marketing activity (e.g., qualifying opportunities, setting appointments, gathering information, closing the sale), identifying how these activities are presently handled, and how telesales can achieve the company’s sales goals.

AI4PO1

Telesales activities are controlled and monitored to ensure goals are met.

Telesales activities may not be monitored properly and, therefore, sales goals are not met.

Management monitors telesales activities.

Regularly, management evaluates and makes adjustments to telesales activities to ensure telesales goals are met.

M1DS11


BusinessObjective


COBIT Reference

Telesales personnel are properly trained and their activities monitored to ensure their conduct and performance best represent the company in meeting its telesales objectives.

Telesales personnel may not be adequately trained. As a result, potential sales may be lost or optimum customer satisfaction may not be achieved.

The company trains and routinely monitors the activities of telesales personnel. Training may include:- Use of sales

literature- Responses to

common questions / objections

- Use of call scripts- Increased emphasis

on listening- Building rapport- Understanding of

products and/or services and how they best fit the customer’s buying motives (e.g., financial benefits, security, convenience, sex appeal, pleasure, and acceptance).

Monitoring activities may include:- Periodic review of

sales calls- Comparing actual to

budgeted goals

DS7M1


BusinessObjective


COBIT Reference

Sales personnel identify and manage their objectives and goals for each call.

Call goals are not identified, which may result in nonproductive sales activity.

Goals are identified for each call.

Telesales personnel identify the marketing context and approach of the telephone call and what they want to accomplish (e.g., initial contact or closing sale). This will then determine what they have to learn about the prospect or his/her company before the call.

Sales personnel may identify:- Entity (e.g.,

individual or business)

- Decision maker(s)- Questions to ask to

understand buyer’s needs, desires, concerns, problems

- Accuracy of information that may be presented

- Previous inquires about products/ services

PO1DS1

Customers are contacted only once per sales opportunity.

Telesales personnel may inadvertently contact a customer that has already been contacted or closed.

The CRM application is used to accurately track and close opportunities.

The CRM application prevents multiple telesales personnel from contacting the same prospects by a lock-out feature on the record.

PO9DS5


BusinessObjective


COBIT Reference

Telesales personnel utilize electronic “call worksheets” to ensure proper information and gathering of information is performed for each prospect.

Call worksheets may not be utilized to track telesales activities.

Sales personnel utilize electronic “call worksheets” to track and monitor telesales activities. Call worksheets may include:- Opening (e.g., greeting/

introduction)- Decision-makers and

influencers- Buyer’s needs

/response to needs- Product position (e.g.,

position features and benefits to match buyer’s needs)

- Call notes- Closing activity (e.g.,

ask for order, request next step, action step, commitment).

PO9M1

Telesales personnel interact with customers in a knowledgeable and consistent manner.

Untrained or inexperienced telesales personnel may be inconsistent or unknowledge-able. As a result, customer interactions may not be appropriate.

The smart scripting functionality within the CRM application is used to enable the telesales personnel to interact with customers in a knowledgeable and consistent way. Smart scripting generates questions to ask callers, based upon their answers to previous questions and customer attributes.

DS7DS8

Environment is free from excessive noise to ensure communication between the customers and telesales personnel is clear.

Customers may not be able to hear or understand telesales personnel.

The company maintains a productive working environment for its telesales personnel and the environment is free from excessive noise.

PO6


BusinessObjective


COBIT Reference

Telesales personnel are trained to gather and analyze customer information to ensure customer’s needs/wants are met successfully.

Customer needs may not be addressed /identified fully, resulting in loss sales.

Telesales personnel are periodically trained to gather and analyze customer information to determine needs and interests.

Training activities may include:

- Developing effective listening skills (e.g., listening for buying motives that may not arise in the course of formal questioning)

- Probing more detailed questions (e.g., open-ended questions for a full, expository answer)

- Utilizing available data (e.g., information gathered on application forms, requests for information)

DS7PO7

Telesales personnel are trained to ensure product/ service fits customer’s needs.

Product/service solution may not fit customer’s needs/wants.

The company provides periodic training to its telesales personnel on its products/services, identifying potential needs/wants they may satisfy.

Changes to an enterprise’s products/ service are formally communicated, identifying the value that can be obtained and potential needs that can be filled.

DS7PO7


BusinessObjective


COBIT Reference

Telesales personnel are given appropriate access to customer information.

Telesales personnel may not have access to critical customer information.

Telesales personnel have access to critical customer information to allow them to review and analyze customer information.

DS5

Note: Please refer to the Processing Sales Order section for additional telesales order controls and the Customer Service section for additional controls for managing telesales personnel within the interaction center.Delivering Goods to the Proper Location at the Right TimeGoods are delivered to the proper location at the right time.

Deliveries may be created which do not refer to approved sales orders, therefore fraudulent deliveries could occur.

Orders are validated for completeness during order handling before they are passed to delivery.

Deliveries completed before the end of the period are posted to update the inventory balances.

AI2DS1

Goods are delivered to the proper location at the right time.

Backorders and incomplete orders may not be processed when items become available, resulting in lost sales and customer dissatisfaction.

Management periodically reviews the list of backorders and releases them for processing.

DS1DS10


BusinessObjective


COBIT Reference


Deliveries may not be processed in the correct accounting period if procedures are not established to verify cutoff of shipments. This would result in misstated inventory and cost of goods sold, and a failure to invoice the customer for the sale.

Goods can be posted for a delivery only if the following prerequisites are fulfilled:- The data in the

delivery must be complete.

- Picking must have been completed for all items in the delivery.

Once a delivery has been processed, the following functions occur:- Stock quantities are

updated.- Balance sheet

accounts are evaluated and updated.

- Requirements are reduced.

- The invoice is processed.

AI2DS9DS11


Access to delivery processing functions may not be restricted to users in the shipping department, to prevent unauthorized deliveries and unauthorized changes.

Access to delivery functions is restricted to delivery personnel.

DS5


BusinessObjective


COBIT Reference


Approved orders may not be delivered, resulting in financial loss to the company, dissatisfied customers and understated revenues and receivables.

All approved orders are processed for delivery regularly.

DS11


Rejected deliveries may not be isolated, analyzed and corrected in a timely manner.

Rejected and incomplete deliveries are reviewed regularly and corrected.

DS10


Deliveries may be processed for customers who represent a credit risk to the company.

Customer may not be advised promptly that orders and deliveries will not be processed for them due to their credit risk.

Customers who are considered a risk for payment are blocked for deliveries and informed promptly that the sales order and delivery cannot be processed. By clearly communicating these policies, any confusion by the customer is avoided.

DS10


Ordered goods may not be picked and packed for shipment properly, resulting in shipping delays.

A formal process exists for picking and preparing orders for shipment.

Procedures for picking and preparing orders for shipment are documented.

Shipping personnel are properly trained on all loading procedures.

Specifications and quantity of products retrieved from storage is reconciled back to the authorized customer

PO6M1DS7DS10DS13


BusinessObjective


COBIT Reference

order or delivery documentation prior to loading.

Order picking is undertaken to ensure that stock is picked on a FIFO basis.

Goods dispatched document is issued for all deliveries.

Goods dispatched documents are pre-numbered and sequentially controlled.

Order documents are pre-numbered and missing documents are investigated promptly.

Key performance indicators are:- Order accuracy- Percentage pick

accuracy- Number of expedited

or emergency orders by cause


Shipments may not be accurate.

A formal process exists for verifying loads for shipment (correct goods/ quantities and no damage/mislabeling).

Packing materials, containers and procedures give consideration to the nature of the product and method of delivery to safeguard products.

Goods are checked for accuracy, damage and proper labeling/packing prior to loading.

PO6


BusinessObjective


COBIT Reference


Carriers may not deliver goods to customers on time.

Formal processes exist for coordinating carrier transport for customer shipments.

All transport carriers are evaluated for financial stability, service quality and proper insurance.

The selection of approved carriers also involves personnel independent of the logistics function.

Customer information and specific requirements are communicated to external carriers to ensure timely and accurate delivery.

Key performance indicators are: - Transit cycle times

by mode, route and carrier

- Percentage of shipments by individual carrier

- Percentage of shipments by mode

- Transit time- Dollar amount by

carrier

PO6PO11


Shipping documentation may not be accurate.

Formal processes exist for preparing/processing shipping documentation.

Documented procedures for outbound logistics are in place.

Personnel are trained properly on procedures.

All delivery notes are signed and time-stamped by customers or third-party carriers.

Controls are in place to ensure proper preparation, approval

AI2PO4DS7DS13


BusinessObjective


COBIT Reference

and accountability over bills of lading, air bills, manifests or the equivalent.

Final shipping documents drive customer billings as pick tickets were updated during loading.

Shipping documents are cross-referenced properly to the document authorizing the shipment.

Controls ensure goods are shipped in accordance with agreed delivery term.

Appropriate procedures exist for obtaining and filing signed documents and recording of seals on all loaded trucks.

Key performance indicators are:- Undeliverable

shipments by cause- Billing disputes by

customer/cause/ location

- Delivery document accuracy percentage

- Credit memos by cause


Foreign or other unique customer shipments may not be delivered to the customer on time to the right location.

Formal processes exist for preparing/processing documentation for foreign/other unique customer shipments.

Export arrangements and requirements are separately determined and take into account methods of transportation, packing requirements, etc.

Export documentation clearly defines when title

DS13AI1PO6


BusinessObjective


COBIT Reference

passes and when responsibility for insurance passes to the importer.

Procedures are adequate to ensure that all necessary documents are forwarded to customers so that they are received before goods arrive.

Customs classifications for materials are accurately defined for customs purposes.

Applicable export permits are obtained for all shipments as necessary.

Shipments classified as containing hazardous materials have required transport/safety documentation.

Controls in place for return of signed manifests documenting final disposition on hazardous loads.


BusinessObjective


COBIT Reference


Customer shipments may not be tracked properly.

Formal processes exist for tracking products shipped to customers.

A reliable system is in place for monitoring customer shipments and taking corrective action promptly.

An emergency delivery process is in place and understood.

Key performance indicators include:- Redeliveries- Order receipts- Order refusals- Delivery promised

dates to actual- Inquiry response

time by average minutes/hours

- Perfect orders received or delivered on time

- Customer complaints (total or percentage)

DS13PO4


Customers may not be communicated with promptly about goods damaged, lost or stolen in transit.

Formal processes exist for addressing goods damaged, lost or stolen in transit.

Procedures are in place to ensure freight claims are promptly filed, followed up and collected.

Allowances or returns for products damaged, lost or stolen in transmit handled within company’s policy parameters.

Management reviews and follows up on reports of customer returns due to incorrect goods being delivered or billing disputes relating

PO8M1DS13


BusinessObjective


COBIT Reference

to products delivered that were inferior quality or damaged.

Key performance indicators:- Damages/loss as a

percentage of sales- Shipments with

claims percent/ carrier claim ratio

- Claims handling cycle time days

- Damage-free delivery performance

- Total damage costsPost Sales—Handling Customer Sales QuestionsSales inquiries are routed to the correct personnel for response.

Sales inquiries may be misrouted, resulting in customer dissatisfaction because of response delays.

Sales personnel maintain regular contact with customers.

Inquiries are routed to the correct inside or outside sales person for resolution.

DS1

Customer requests are immediately acknowledged, enhancing customers’ experience and satisfaction.

Customer requests may not be acknowledged in a timely manner.

Customer requests are auto-answered, when feasible.

Acknowledgments or confirmations are sent to customers to indicate that their request was received and the expected response time is indicated.

Customers are provided self-service functionality to handle the majority of sales inquiries.

DS1


BusinessObjective


COBIT Reference

Customer sales information is completely and accurately input.

Customer sales information may be entered inconsistently or incompletely.

Sales personnel are trained appropriately on data entry requirements and the intended uses for fields.

Key fields are required to be entered.

When possible, pick lists and field masks are used to validate and secure data entry (i.e., pick lists for titles, preferences, states, field masks for phone numbers, social security numbers, credit card numbers).

DS7

Sales inquiries are routed appropriately and reports on requests are accurate.

Requests may by categorized inconsistently, resulting in inaccurate routing and/or reporting.

Sales personnel (or customers via web forms/e-mail) are required to select a request type from a pick list to indicate the type of inquiry.

AI4

Inquiries are routed appropriately and reports on requests are accurate.

Inquiries may be categorized inconsistently, resulting in untimely resolution and inaccurate reporting.

Sales personnel are trained on the proper usage of the different request types.

Formal procedures exist for processing requests.

DS7


BusinessObjective


COBIT Reference

Adequate information is captured about customer inquiries.

Insufficient detail as to nature of the request may be captured in initial contact with customer.

Sales personnel are appropriately trained on the importance of understanding and documenting the request with sufficient detail.

A description field is required when documenting a request.

DS7

Inquiries are appropriately prioritized, so that they are addressed in an appropriate manner.

Inquiries may be prioritized inappropriately.

Sales personnel are trained appropriately on the meaning of service request severity codes.

The severity field is required and given an appropriate default.

Management monitors the number of outstanding service requests by severity to help determine the appropriate use of severity codes.

DS7AI1M1

Inquiry resolution information is captured.

Sales personnel may not provide complete descriptions of how issues are resolved. Therefore, request resolution information is not available to answer subsequent questions.

The inquiry resolution field should be configured as required to ensure proper documentation.

DS9


BusinessObjective


COBIT Reference

Inquiries and requests are appropriately closed.

Inquiries and requests may not be closed properly; therefore, the requests remain open on the system and continue to be worked on by other employees.

Procedures are defined on how and when to appropriately close a request or inquiry.

Monitoring controls exist to monitor open requests or inquiries to ensure that they are closed in a timely manner.

DS13M1

Customers are satisfied with the request resolution.

Request resolutions may be closed without the customer being satisfied with the response.

Customers are surveyed periodically to determine satisfaction. The surveys include feedback on system accessibility, front-line professionalism and overall satisfaction with the way their calls are handled.

When customers’ e-mail addresses are available, they are e-mailed a confirmation that their request has been closed and the customers have the ability to provide feedback. Mail confirmation is sent if e-mail is unavailable.

DS1


BusinessObjective


COBIT Reference

Customer feedback is quantified and analyzed on a proactive basis.

Sales personnel may not be effective in handling customer inquiries.

Management notifies appropriate individuals that a complaint was filed for their area of responsibility.

Management and the responsible individual determine and implement an action plan to avoid the noted complaint in the future.

The action plans are documented and monitored.

AI5DS1M1


2. Marketing Risks Work Program

The following work program will help manage marketing risks within the organization. Those auditing, reviewing or advising on controls in a CRM project need to select tasks from the work program and consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance and specific knowledge of the organization and risks should be added to them.


BusinessObjective


COBIT Reference

Marketing Strategy New product and services offerings are defined accurately and clearly.

New product and service offerings may be defined inaccurately or unclearly, resulting in diminished sales opportunities or dissatisfied customers.

Product offerings are clearly defined and planned. The information includes, at a minimum:- Target audience- Expected revenue

stream- Time period- Cost

A process is in place for gathering and documenting the technical specifications and intended uses and functional information for products and services, including, at a minimum:- Product shelf life- Product wear-out

rates- Problems that may

result from improper usage or consumption

PO1AI4AI6


BusinessObjective


COBIT Reference

New product and service offerings are continually identified.

Organization may not meet sales and marketing goals because new product and service offering possibilities are not identified.

A process is in place for the continual generation and review of new product and service ideas.

DS3

Products are available to ensure a successful new launch.

Product or retailer marketing campaigns may not consider production schedules or inventory levels resulting in delays in product delivery.

Contractual defaults or customer dissatisfaction may result.

As part of the product development processes, procedures ensure that products or services can be supplied following a product or service launch.

DS1DS3

Product pricing is commensurate with market conditions and product positioning.

Pricing may not be appropriate for product or service positioning, resulting in a loss of sales.

Market information and research aids in determining product pricing.

PO10

Access is properly restricted.

Pricing lists, marketing templates and literature may be altered without authorization.

Only authorized users have access to create/maintain pricing lists, marketing templates, literature, etc.

DS5


BusinessObjective


COBIT Reference

Product effectiveness is monitored.

New product or service offerings may not be measured, resulting in the inability to determine the success of the new product or service.

Project managers are made accountable for delivering a commercially successful product.

Customer and competitive reaction to the new product is monitored.

Planned vs. actual financial results are monitored and reported to management.

A product-costing model is used to assess product costs, including all ancillary costs related to product introduction as well as development.

M1

Marketing Strategy Research and Execution (Market Understanding and Analysis)Market data are valid and from a reliable source.

Invalid market data may lead to false assumptions regarding market conditions.

Market data are validated and research sources are investigated for reputation and reliability.

DS11

A complete understanding of market conditions exists within the organization.

An incomplete understanding and analysis of market conditions may lead to ineffective or inappropriate market strategy and sales penetration.

Market driving conditions have been identified.

Analytical procedures are used to measure and monitor changing conditions.

AI1


BusinessObjective


COBIT Reference

Competitor product and service offerings are identified and their impact on the organization’s own product and service range is fully assessed.

The organization may lose a competitive advantage by not identifying a competitor’s changes in its product and service offerings.

Regular comparison of product and service offerings is performed against identified competitors, and improvements are made to product and service offerings, as appropriate.

DS3PO3

Customer feedback and survey responses are accurate.

Inaccurate customer feedback and responses to marketing surveys may lead to inaccurate understanding of customer wants and needs.

Procedures exist to ensure that marketing surveys and customer feedback are accurate and that questions are not leading (i.e. forcing or encouraging the customer to answer a certain way).

Customer feedback is incorporated into the processes to improve products and services.

AI4AI5PO10

Regulatory barriers relevant to entering a market are clearly understood.

Regulatory barriers may delay or prevent entry into markets significantly.

Regulatory barriers are identified and assessed by marketing personnel and are taken into consideration when working with research and development for new products and services.

PO8

Marketing Strategy Research and Execution (Market Segmentation)Customer needs and wants are understood completely.

Information about targeted consumers may be poor or unavailable.

Customer expectations may not be understood properly.

Marketing surveys are used to understand customer needs and wants. These surveys contain information such as: - Demographics- Preference- Buying habits

DS1


BusinessObjective


COBIT Reference

Market segments are clearly and properly defined.

Unclear or outdated market segment definitions may lead to inefficient campaigns and target marketing.

Marketing personnel periodically evaluate existing market segment definitions.

Segment definitions are updated periodically as the market changes.

DS1

Marketing segments are prioritized and campaigns are appropriately targeted to maximize return on investment for marketing expenditures.

Marketing dollars may be spent on market segments that do not need incentives provided or that are not part of management’s strategic plan for targeting customers.

Fewer sales leads may be generated as a result of inappropriate campaign targeting.

Marketing prioritizes market segments based on the organization’s strategic plan, highest return, growth potential, competitive advantage, etc.

Campaigns are prioritized and targeted toward the most profitable market segments.

PO5

Marketing Strategy Research and Execution (Marketing Campaign Planning and Execution)Efficient campaigns are conducted leveraging technology to effectively automate and inform the processes of planning, executing, tracking and analyzing marketing campaigns.

Inefficient and ineffective campaigns, which do not maximize the organization’s marketing investment dollars, may be executed.

Campaign management software and processes are used to effectively plan, execute, track and analyze marketing campaigns.

Marketing personnel measure each campaign’s return-on-investment, time-to-market, campaign execution, etc.

AI1


BusinessObjective


COBIT Reference

Campaign effectiveness is measured through the use of clearly defined metrics and objectives.

Ineffective campaigns may be repeated due to poor or undefined metrics and objectives.

Effective campaigns may not be detected and therefore they are not repeated.

Clearly defined metrics and objectives are in use to track and review campaign effectiveness and return on investment.

Management uses the objectives and metrics to assess campaign effectiveness.

Metrics to consider tracking are:- Costs- Return on

investment- Customer response- Customer action

Lessons learned are tracked for both successful and unsuccessful campaigns, and the lessons are incorporated into future campaigns.

AI4PO10

Marketing Strategy Research and Execution (Capturing and Analyzing Marketing Strategy Effectiveness)The organization efficiently and effectively analyzes customer information.

Marketing information that has been gathered may not provide value.

Data mining techniques and software are used to analyze customer data. Data mining techniques may include:- Product affinity

analysis- Customer retention

and vulnerability- Customer

acquisition life cycle- Price optimization- Risk management

Data modeling techniques are regularly reviewed to optimize interpretation of existing data.

PO2


BusinessObjective


COBIT Reference

The marketing strategy is continually refined based on new customer data.

Marketing strategies and campaigns may not be effective for current and future trends.

Data mining results and campaign effectiveness reports are incorporated formally into future marketing decisions.

Formal procedures exist to assess and report campaign effectiveness to all relevant personnel on an ongoing basis.

Meaningful and relevant key performance indicators are measured and analyzed.

AI1PO1

Vendor ManagementMarketing service providers meet quality, quantity, price, delivery or other requirements.

Advertising agencies, market research organizations and other marketing service providers may not provide value for services purchased.

Organization policy may not require that service providers be selected through a formal process, using objective criteria.

Contractual terms may not be clear, favorable to the organization, properly enforceable or competitive.

Management approval procedures are in place to select and review marketing service providers.

Formal vendor selection and management methodology is used.

Procedures to monitor vendor viability and creditworthiness are used.

Periodic competitive rebidding is required.

DS1DS2

Vendor work meets quality and delivery standards.

Vendor quality standards may differ in material ways from those of the marketing organization, leading to substandard work.

Formal procedures are used to monitor vendor quality and delivery standards (e.g., time, documentation).

Escrow agreements and contingency plans are used in the event the

DS2


BusinessObjective


COBIT Reference

Supervision of the vendor by the marketing organization may be difficult (if the vendor is physically remote).

Vendor employees may breach organization standards related to information security and confidentiality.

The vendor could cease operations, with resultant losses or costs related to replacement of services.

Marketing projects may not be managed properly.

vendor ceases operations.

Confidentiality agreements are signed by all vendor employees.

Strong internal project managers are used to manage vendors.

Technology ManagementOrganization technology infrastructure and design should be fully supportive of all beneficial marketing activities.

Organization technology infrastructure and design may not be capable of supporting competitive marketing activities such as Internet web pages or call centers.

Policies and guidelines for investment in marketing technology are developed jointly by marketing and the IT organization.

The marketing channel selection process includes procedures to address technology requirements, and other competitive marketing activities are incorporated into the analysis.

PO2AI2


BusinessObjective


COBIT Reference

Marketing technology implementations are successful.

Implementation of the technology may fail. This may be attributable to a number of reasons, including lack of integration skill, lack of user involvement in the implementation project, inappropriate systems architecture and others.

Users may fail to accept the new system, in most cases, because user requirements were not captured and integrated into the design properly.

Technology may become obsolete, due to rapid change.

Benefits may not be realized or may be substantially less than expected.

Careful selection is made of integrators, consultants and software vendors with due attention to alignment of vendor capabilities and project requirements

A structured systems integration methodology is used to minimize risk of project failure or underperformance

Long-term technology architecture is deployed to manage the impact of technological change

Cost-benefit analysis in technology investment planning is systematically deployed, with post-implementation variance analysis

AI1AI3PO1PO5

Legal and RegulatoryMarketing campaigns and literature meet legal and regulatory restrictions.

Consumers purchasing products based on false or misleading claims may be able to sue for damages and regulatory agencies may intervene to stop practices regarded as misleading to consumers.

Trademark development may infringe on the property rights of

A consistent review by legal counsel of marketing policies for legal and regulatory compliance, false advertising, new trademarks (trademark infringement), customer communications, etc., is performed.

Time for legal review is designed into an end-to-end marketing process.

Proactive legal review is exercised in the development of

PO8


BusinessObjective


COBIT Reference

other organizations.

Materials similar to another organization’s may confuse consumers, which could lead to litigation and damages.

Adverse court decisions related to an organization’s trademarks and materials may require complete rebranding and repositioning, with a total loss of the organization’s initial marketing investment.

Substantial cost overruns related to discarded print runs, overtime, vendor rush fees and related costs may be an issue.

Competition and antitrust concerns may be an issue.

marketing materials, to remove the task from the project critical path.

Consumer Privacy


BusinessObjective


COBIT Reference

Compliance with privacy laws and regulations is practiced.

Marketers that do not comply with privacy laws and regulations may increase the risk of litigation, damages and adverse impacts to operations due to regulatory injunctions.

Privacy policies and procedures should be implemented and include areas such as unsolicited customer contact and disclosure of customer information.

Cultural differences between countries are considered.

Marketers must establish clear policy guidelines for unsolicited messages, which should include classification of messages by type and channel, policy regarding message frequency, and provisions for customer opt-in and opt-out.

A policy regarding message type or class enables organizations to differentiate policy according to the purpose and intent of the message.

PO8M3AI1AI4

For additional privacy risks and controls, refer to the privacy work program, 12. Privacy.Fraud and Unlawful ConversionFraud and unlawful conversion are prevented.

Trade promotions, cash rebates, coupons, sweepstakes, loyalty programs and other practices may not comply with fraud and unlawful conversion regulations

Misuse and abuse of marketing funds may be an issue.

Fraud may be an issue

Organizations that

Basic risk management controls, such as dual approval, separation of duties and independent audit, are a part of the marketing process where significant payments are made to other parties.

Incentive promotions designed to reward customers for specific behavior, such as making a purchase, are designed with controls to ensure that reward payments are earned and claimants are qualified to

PO4DS5DS11


BusinessObjective


COBIT Reference

do not ensure that benefit claims are supported by proof of eligibility risk spending program funds in a manner that does not effectively influence consumer behavior.

earn the incentive. Proof of purchase is

required for disbursement.

Aggregate claims are matched to sales. Analysis of claims incidence by channel, vendor, sales rep and other key dimensions can reveal a disproportionate incidence of claims meriting further investigation

Claims are checked randomly, to validate that claims are properly earned and documented

Machine procedures are used for random printing and insertion of winning tickets or coupons. In the absence of machine procedures, control over winning tickets should be based on dual approval, employee rotation and separation of duties.

Security printing and paper may be used to reduce fraudulent duplication of winning tickets.

Mailing lists are seeded with names supplied by an independent list-monitoring agency, so that the agency can track the incidence of communications to the seed list by source, and report findings to the list owner.

Marketing Channel Management


BusinessObjective


COBIT Reference

Marketing channels are selected to align the right customers with the right products.

Communications and offerings may not be reaching the target customers through the appropriate channels, resulting in inefficient marketing costs and reach.

Procedures are clearly defined and followed to ensure that a market channel will link customers to products appropriately.

Communications and offerings are sent to customers based on their preferences. For example, a customer who prefers direct e-mail promotions may only want to receive e-mail promotions and therefore other channels may not be effective (i.e., telesales, TV).

DS11DS13

Marketing channel analysis is complete.

Marketing channel data may be incomplete, resulting in an inaccurate picture of channel effectiveness.

Procedures are put in place to review marketing channel information to ensure that it is complete.

AI1

To further address channel management risks, refer to work program 6. Channel Management and Integration Risk.Marketing Literature Development and Fulfillment


BusinessObjective


COBIT Reference

Marketing information and content are accurate.

Marketing content may be inaccurate, or contain false or misleading claims (e.g., claims inconsistent with product design or performance).

Marketing information is verified for accuracy prior to releasing the marketing literature and communication to the customer.

Management reviews marketing content to ensure that the marketing claims can be met (e.g. product promises, product availability, etc.)

Marketing content complies with laws, regulations and organization policies on business ethics, codes of conduct and conflict of interest to prevent damage to the organization's reputation.

M1PO8

Literature requirements and needs are defined and addressed completely.

Literature requirements may not be defined completely, resulting in ineffective literature.

Formal procedures exist for gathering and assessing literature requirements.

Marketing personnel ensure that all beneficial types of literature and literature content are developed and available for products and services.

AI4

Only authorized changes to literature are made.

Unauthorized changes may be made to printed or web-based literature.

The ability to change printed or web-based literature is limited to appropriate personnel and approved properly.

Version control procedures are in place for controlling updates to literature files.

DS5DS11


BusinessObjective


COBIT Reference

Literature is distributed effectively and properly tracked.

Requested literature may not be distributed properly to customers or prospects.

The organization utilizes collateral management technology or sufficient manual processes to fill literature requests from customers and prospects accurately and in a timely manner.

DS11

Customer feedback is considered during literature design and update.

Customer feedback may not be incorporated into literature updates or development of new literature, resulting in lost opportunities to improve literature quality.

Customer feedback is reviewed formally and incorporated into new literature during literature development and update processes.

PO11

Literature is up to date. Old literature is destroyed on a timely basis.

Documents that are outdated may not be identified and destroyed in a timely manner.

Literature preparation personnel monitor documents on an ongoing basis to ensure outdated literature is identified and removed from circulation.

M1


3. Customer Interaction Center and Field Service Risks Work Program

The following work program will help manage customer interaction centers and field service risks. For detailed work programs on the telecommunication equipment within interaction centers, see work program 7, Telecommunication Infrastructure. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance, and specific knowledge of the organization and risks should be added to it.


BusinessObjective


COBIT Reference

Customer Interaction Center—Inbound Request ProcessesCustomers’ calls are always received by the interaction center.

Inbound telephone calls may not reach the interaction center as a result of inactive phone line trunks.

Telephone trunks are actively monitored to ensure they are not busy or out of order.

DS3

Customer calls are routed to the correct extension or interactive voice response (IVR) system.

Telephone calls may be inappropriately routed resulting in dissatisfied and poorly served customers.

Initial implementation and all changes made to the automatic call distributor (ACD) are reviewed and tested thoroughly.

AI5

The IVR provides customers with an easy-to-use means of obtaining information or routing their call to an appropriate individual.

Customers may be unable to determine how to route their call via the IVR system or are dissatisfied due to the complexity of options available.

All changes to the IVR are thoroughly reviewed and tested with end users to ensure the options and menu path of the IVR are clearly understood.

AI6


BusinessObjective


COBIT Reference

The interaction center provides customers a positive and reinforcing experience when using telephone self-service.

Customer calls may be dropped once the call enters the IVR/CTI systems.

Network connections between the CTI or IVR systems and the back-end database system have sufficient bandwidth to accommodate customer information requests.

Network connections between the CTI or IVR systems and the back-end database are monitored.

An alternative IVR system is made available in the event the back-end database is unavailable to ensure the customer’s time is not wasted.

AI3DS4DS13

Customers use IVR self-service to answer common questions and alleviate demand for live interaction center personnel.

Customers may “zero out” of the IVR rather than use automated assistance because the IVR is confusing or difficult to use.

The IVR is easy to use for requesting information, such as account information, and manual intervention is minimized for simple self-service questions.

DS3

Callers waiting in the queue are given information on expected wait time.

Callers may become impatient and dissatisfied with the organization due to inability to determine length of hold time or due to excessive hold times.

Callers are updated periodically with the expected wait time while on hold.

Callers are provided alternative methods of communicating with the organization, such as the web site, nonpeak hours, etc.

DS3


BusinessObjective


COBIT Reference

Web form/e-mail requests are routed to the correct personnel for response.

Web form e-mail requests may be misrouted resulting in customer dissatisfaction because of response delays.

Web form and e-mail requests are routed to the correct mailboxes using e-mail management software, also called automatic e-mail distributors (AEDs).

Periodic tests of web service are conducted and e-mails are sent to customers to ensure correct routing.

DS13

Web form/e-mails are easily integrated and read by e-mail management software.

Web form/e-mails requests may not be routed efficiently or effectively, resulting in poor response times to customer requests.

Users are encouraged to use a web form on the organization’s web site when sending web service/e-mail requests. Therefore, the user selects a category for their e-mail from a predefined list of choices, allowing the request to be more efficiently routed, understood and answered by customer service personnel.

DS11DS13

Customer requests are immediately acknowledged, enhancing customers’ experience and perception of using chat for service.

Customer requests may not be acknowledged in a timely manner.

Customer requests are auto answered, when feasible.

Acknowledgments or confirmations are sent to customers to indicate that their request was received and the expected response time.

DS1DS13M1

Customer requests are routed within the interaction center based on nature of request and workload.

Customer requests may be routed to overloaded CSRs.

Customer requests are distributed evenly among customer service personnel.

DS13


BusinessObjective


COBIT Reference

Customer information is input completely and accurately.

Customer master data may be duplicated, resulting in an incomplete record of a customer’s history.

CSRs perform a thorough search for the customer in the database prior to creating a new customer. For example, they search by name, phone number or e-mail.

The system automatically flags potential duplicate customer records during entry.

AI5DS11

Customer information is input completely and accurately.

Customer information may be entered inconsistently or incompletely.

CSRs are trained appropriately on data entry requirements and the intended uses for fields.


When possible, pick lists and field masks are used to validate and secure data entry (i.e., pick lists for titles, preferences, states, field masks for phone numbers, ID numbers and credit card numbers).

PO7DS7DS11

Only authorized personnel create new customer records.

Unapproved customer records maintenance may be performed.

Access to maintain customer information is restricted to the appropriate personnel.

DS5PO4

Requests are routed appropriately and reports on requests are accurate.

Requests may be categorized inconsistently, resulting in inaccurate routing and/or reporting.

Contact center personnel (or customers via web forms/e-mail) are required to select a request type from a pick list.

DS1


BusinessObjective


COBIT Reference

Requests are routed appropriately and reports on requests are accurate.

Requests may be categorized inconsistently, resulting in untimely resolution and inaccurate reporting.

CSRs are trained on the proper usage of the different request types.

Formal procedures exist for processing requests.

DS13

Adequate information is captured on the service request.

Insufficient detail as to nature of the request may be captured in initial contact with customer.

CSRs are trained appropriately on the importance of understanding and documenting the request with sufficient detail.

A description field is required when documenting a request.

PO7DS7

Service requests are prioritized appropriately, so that they are addressed in an appropriate manner.

Service requests may be prioritized inappropriately.

CSRs are trained appropriately on the meaning of service request severity codes.

The severity field is required and given an appropriate default.

Management monitors the number of outstanding service requests by severity to help determine the appropriate use of severity codes.

PO7DS7

Web form and e-mail requests are seamlessly integrated into the call center service request application, allowing a complete picture of the customer’s service history.

Web form and e-mail requests may be stored separately from telephone service requests, giving an incomplete picture of the customer’s service history.

Web form and e-mail requests are included as service requests in the customer’s service history.

DS11


BusinessObjective


COBIT Reference

Customer service levels are accurately reflected in the system.

Customers’ service levels may not be recorded appropriately in the system.

Access to changing and assigning customer service levels is restricted appropriately.

Procedures exist to ensure customer service levels are input into the system accurately and completely.

DS5DS7AI5

Customers are provided appropriate service.

Customer expectations for the level of service they will receive may not be managed appropriately.

CSRs are trained adequately on the service levels. For example, initial training is aligned with key customer satisfiers and empowers the worker to satisfy the customer.

Customer service levels are maintained in the customer profile. For example, service levels may be as follows:- Gold service—24/7

support, onsite support if needed, requests addressed in four hours. (US $20,000 every 6 months)

- Silver service—24/7 support, no onsite support, requests addressed within 24 hours. (US $10,000 every 6 months)

- Bronze service—12/5 support, no onsite support, requests addressed within 48 hours. (US$5,000 every 6 months)

All service levels expire after a period of time if not renewed.

CSRs manage customers’ expectations for the level of service they will receive by communicating service

DS1DS7DS13


BusinessObjective


COBIT Reference

levels. A report is processed

periodically to identify customers without a service level or with service levels that do not match their current service level. Appropriate action is taken to update service levels.

Service request resolution information is captured.

The CSRs may not provide complete descriptions of how issues are resolved.

The request resolution field is configured as required to ensure proper documentation.

Contact center managers perform quality assurance on closed service requests to ensure the resolution is documented adequately and the customer’s request was appropriately satisfied. For example, senior managers regularly listen in on live or recorded calls for each front-line worker to ensure that the resolution is accurate and documented uniformly and completely.

PO11DS9


BusinessObjective


COBIT Reference

Comprehensive documentation standards exist.

Inadequate or inconsistent documentation standards may lead to a difficulty in retrieving solutions to problems.

Documentation standards are defined to ensure comprehensive documentation of the resolution. Standards include guidelines for referencing related case analysis, diagnostic Q&A, decision trees, search engines for repositories of technical documents, FAQs and known customer service solutions, etc.

PO11AI4

Requests are closed appropriately.

Requests may not be closed properly; therefore, the requests remain open on the system and continue to be worked on by other employees.

Procedures are defined on how and when to appropriately close a request.

Monitoring controls exist to monitor open requests to ensure that they are closed in a timely manner.

AI4M1

Customers are satisfied with the request resolution.

Request resolutions may be closed without the customer being satisfied with the response.

Customers are surveyed periodically to determine satisfaction. The surveys include feedback on system accessibility, front-line professionalism and overall satisfaction with the way their calls are handled.

When customers’ e-mail address is available, they are e-mailed a confirmation that their request has been closed and the customers have the ability to provide feedback. Mail confirmation is sent, if e-mail is unavailable.

AI4DS1DS8


BusinessObjective


COBIT Reference

Customer feedback is quantified and analyzed on a proactive basis.

Customer service may not be effective.

Management notifies appropriate individuals that a complaint was filed for their area of responsibility.

Management and the responsible individual determine and implement an action plan to avoid the noted complaint in the future.

The action plans are documented and monitored.

M1

Services address the needs of all groups within the customer base.

The needs of specific customers may not be met.

Customer focus groups are used to determine the needs of specific customer groups and how well those needs are being met.

DS1

Customer Interaction Center—Out Bound ProcessesAll customers and all potential customers are contacted.

The out bound dialing system may not effectively switch between lists and campaigns nor reschedule callbacks for busy signals and no-answers.

The system automatically reschedules calls for busy signals and no-answers.

AI1AI2

CSR time is used effectively.

CSR time may be wasted due to inefficient call scheduling of customers.

The system keeps a record of call attempts to be certain that each attempt is at a different time during the day and on different days.

AI1AI2


BusinessObjective


COBIT Reference

CSRs effectively communicate the organization’s message.

CSRs may not be aware of or do not effectively communicate the proper campaign messages.

Scripting is used to automatically allow for data to be entered and calculations to be performed in the script.

Future calls and action items are routed to the correct agent based on the answers received. For example, effective workstation configurations identify the probable incoming caller by automatically linking the caller’s phone number and account history, and instantly placing this information on the front-line worker’s computer screen.

AI1AI2

Customer data are accurate and reliable.

Customer master data may be duplicated, resulting in an incomplete record of the customer’s history.

CSRs perform a thorough search for the customer in the database by name, phone or e-mail prior to creating a new customer.

The system automatically flags potential duplicate customer records during entry.

DS9DS11


Customer information may be entered inconsistently or incompletely.

Pick lists and field masks are used to validate data entry (i.e., pick lists for titles, preferences, states, field masks for phone numbers, ID numbers and credit card numbers).


DS11


Unapproved customer records may be created.

Access to add new customer information is restricted to appropriate personnel.

DS5


BusinessObjective


COBIT Reference

Field Service DeliveryRequests are resolved in a timely manner.

Field service cases may not be correctly routed to the field, e.g., an incorrect field office.

Assignment rules are designed appropriately to consider geographical location, employee expertise and availability when proposing potential field service personnel.

Procedures exist to reroute incorrect routings to another office.

PO4AI4DS10

Requests are resolved in a timely manner.

Field service requests may be assigned to unavailable or overworked personnel.

Adequate escalation procedures route cases to a higher level of management if the cases are not addressed in a specified period of time.

AI4DS10


Past solutions to similar problems may not be easily retrievable or available to field service personnel while they are in the field.

Field service personnel have tools available to them in the field to help troubleshoot problems.

A solutions database is maintained to assist field service personnel in troubleshooting problems.

Field service personnel can access the solutions database via field service computers.

PO4AI1DS5DS!0


BusinessObjective


COBIT Reference


Subject matter expertise may not be available for complex or new problems, resulting in delayed resolution time.

Subject matter experts are available to find solutions to new and complex problems as they arise.

Customer self-service can dramatically improve control. A major European electronic components distributor, for example, has achieved 10 percent of its sales through its B2B web site. At the same time, technical support documentation for its products is on the web site. More than 90 percent of all requests for technical information are now performed electronically rather than using the call center.

DS8

Reliable and meaningful information is available for field service request resolution times.

Performance metrics may not be calculated accurately due to inconsistent request closing procedures.

Field service personnel understand the importance of and procedures for closing a completed request.

Field service personnel are trained adequately on case closing procedures.

DS7DS11


Spare or replacement parts may not be available in the time frame the customer requires to resolve the problem.

Proactive steps are taken to monitor spare and replacement parts inventory.

Adequate safety stocks are kept.

If the part is not available, the customer is made aware and approximate wait-time is indicated.

DS9


BusinessObjective


COBIT Reference

Customers are satisfied with field service request resolutions.

Customers may not be satisfied completely with field service work.

Customer feedback surveys are sent to all customers, including requests resolved by field sales personnel.

Customers are surveyed to determine their satisfaction with the field service technical assistance.

DS8DS10

Feedback is utilized to provide enhanced solutions.

Ineffective solutions may be repeated for the same problem.

Customer feedback regarding specific field service solutions is fed into the solutions knowledge database.

Field service personnel can propose amendments or changes to solutions.

Subject matter experts review these amendments and changes and incorporate them as appropriate.

DS8

Time and expense associated with field service calls are tracked.

Time and expenses may not be documented in the system; therefore, services received may not be billed (e.g., loss of revenue).

Time and expense procedures are defined and enforced.

Field service personnel must submit time and expenses periodically to receive a paycheck.

To be reimbursable, expenses must be submitted prior to the final client billing.

PO5DS6

Customers are appropriately charged or not charged for field service calls.

Lack of appropriate warranty-related information might result in customers being charged inappropriately or not charged for the cost of the repairs.

The customer service, billing and warranty systems are integrated to help ensure appropriate customer billings.

DS6


BusinessObjective


COBIT Reference

Field service inventories are protected and monitored adequately.

Field service inventories may be overstated as a result of poor parts management.

Parts used must be recorded prior to closing the case ticket.

Periodic physical inventories of field service vehicles/ locations are taken.

Field service personnel are held responsible and accountable for all service parts in their possession.

DS9DS11

Field service performance is understood and measurable.

Performance metrics may not be calculated due to inconsistent request closing procedures.

Field service personnel understand the importance of and procedures for closing a completed request.

Field service personnel are trained adequately on case closing procedures.

AI4DS7PO11

Quality levels are monitored.

Quality levels may not be met, resulting in poor customer satisfaction.

Contact center managers perform quality assurance on closed service requests to ensure the resolution is documented adequately and it appears that the customer’s request was satisfied appropriately.

PO10PO11

Service Spares LogisticsSpare parts are properly managed.

The right parts may not be available for service personnel; therefore, they will not be able to fix products or resolve customer problems.

Spare parts may be stolen, misplaced, lost, etc.

Formal inventory management procedures is implemented to control the inventory of spare parts to ensure that all parts are accounted for and are available to the field service representatives when needed to resolve customer problems or fix products.

PO6AI4


BusinessObjective


COBIT Reference

Proprietary and confidential information is properly restricted.

Internal documentation may be distributed inappropriately to the public.

All internal, noncustomer-facing, information is marked clearly and maintained in a separate folder from information designed for distribution to customers.

Access to all sensitive internal documentation is restricted appropriately through an approval process.

DS5DS11

Solution information is up-to-date and easily retrievable.

Past solutions to similar problems may not be easily retrievable or available to field service personnel while they are in the field.

Field service personnel have tools available to them in the field to help troubleshoot problems.

A solutions database is maintained to assist field service personnel in troubleshooting problems.

Field service personnel can access the solutions database via field service computers.

DS5DS9



Customer feedback regarding specific field service solutions is fed into the solutions knowledge database.

Field service personnel also can propose amendments or changes to solutions.

Subject matter experts review these amendments and changes and incorporate them as appropriate.

DS11DS13


BusinessObjective


COBIT Reference

Solution information is up–to-date and easily retrievable.

The CSR may not provide a description of how the issue was resolved.

An inability to capture important request resolution information may exist.

The request resolution field is configured as required to ensure proper documentation.

Management monitors solution information and issue resolutions.

DS9M1


Inadequate or inconsistent documentation standards may lead to a difficulty in retrieving solutions to problems.

Documentation standards are defined to ensure comprehensive documentation of the resolution. Standards include guidelines for referencing related case analysis, diagnostic Q&A, decision trees, search engines for repositories of technical documents, FAQs and known customer service solutions, etc.

AI1PO11


New solutions may not be documented as needed, resulting in a lack of knowledge sharing between CSR’s.

CSRs are encouraged to propose new solutions in the solutions database and are recognized for their effort.

DS11



All solutions are reviewed by technical experts prior to approval for general use at the interaction center.

DS13


Problem resolution data may be maintained inconsistently.

Templates or standards govern the form of the solutions documentation.

PO1PO3


BusinessObjective


COBIT Reference


Employees may not be able to extract knowledge solutions in an efficient manner.

Responsibility and accountability for creating and maintaining product and service information are defined.

Product and service information is stored in an easily accessible and searchable format.

DS3DS13

Policies and procedures for returns and replacements are followed.

CSRs may provide customers inaccurate information.

Customers may not follow return and replacement procedures therefore their returns are rejected.

Return instructions are available online to the CSRs.

CSRs are trained appropriately on return policies and procedures.

AI4DS7

People ManagementCustomers are satisfied with the level of service.

Inexperienced CSRs may provide inappropriate and incomplete literature to customers.

Initial and periodic training is conducted to educate CSRs on standard and timely literature and grouping of literature materials. For example, training hours are allotted for every front-line worker (ranging from 90-150 hours) and are factored into the forecasting and scheduling process, at least one year in advance.

Customer request scenarios are provided to assist in ensuring all applicable literature is provided during the initial request.

PO7DS7


Customer information may be entered inconsistently.

CSRs are trained appropriately on data entry requirements and the intended uses for fields.

DS7DS11


BusinessObjective


COBIT Reference

Customer requests are responded to efficiently.

Requests may be categorized inconsistently, resulting in untimely resolution and inaccurate reporting.

CSRs are trained appropriately on the proper response to the different request types.

DS7


CSRs may not categorize service requests consistently, resulting in inaccurate request analysis.

CSRs are trained on the importance of using the appropriate category for service requests and the meaning of each category.

The category field is required.

DS1DS7

CSRs are well trained.

Training initiatives may be executed poorly.

A dedicated training group is an integral part of a successful interaction center operation.

Technical training programs are delivered by experienced subject-matter experts to ensure the skill and knowledge transfer of information is current and relevant.

Training programs are subject to a beta test or pilot test to solicit CSR end-user feedback and improve the training program.

Formal training agendas are prepared and approved by management.

PO7PO10DS7


BusinessObjective


COBIT Reference


Personnel may not be trained to meet customer needs effectively.

Training curriculum includes systems, products, call types, customer handling and telephone skills.

CSRs are involved in developing training courses and management approves course content.

Multiple training methods are used, including written tests, telephone interviews and role-playing to provide comprehensive scenarios.

PO7DS7DS13


Customer service needs and workloads may not allow sufficient time for proper training.

Training hours are allotted for every front-line CSR (ranging from 80-160 hours per employee) and are factored into the forecasting and scheduling process at least one year in advance.

DS1DS7


Training may not enhance productivity.

Training effectiveness is verified through self-assessments, service observations, one-on-one coaching, team interactions and metrics.

AI4AI5DS7

Customers are satisfied with the service.

Customers may be treated with disrespect.

Front-line CSRs are trained to recognize and adapt to different caller personality types.

DS10DS13


Insufficient detail as to the nature of the request may be captured in initial contact with customer.

CSRs are trained appropriately on the importance of describing the request in detail.

DS7


BusinessObjective


COBIT Reference

Customers are satisfied with the service.

Customer expectations for the level of service they will receive may not be managed appropriately.

CSRs are trained adequately on the meaning of different service levels.

PO7DS1


Service requests may be routed to inappropriate individuals, delaying resolution.

CSRs are trained adequately and provided information regarding to whom to route calls depending on the type of inquiry, in the event they receive a call they cannot answer.

DS13

Customer service representatives are well trained.

Personnel may not be trained to manage assignment or workflow rules.

Personnel are trained appropriately in managing assignment and workflow rules.

PO7

Physical conditions are sufficient to allow interaction center personnel to operate effectively.

Contact center personnel may be inefficient due to a poor physical environment.

There is a natural source of lighting, artificial direct and indirect lighting to reduce glare.

Customer care personnel have facilities for rest and recreation.

The layout supports ease of operations and an ability to deal with calls effectively, e.g., hot desk, printer locations, etc.

The noise level is controlled and the general noise level (e.g., background noise) is adequate. Mitigating methods are white noise, sound absorbing materials, baffling materials, etc.

Proper ventilation exists to provide ambient temperature and proper circulation of air, e.g., no

PO8DS12


BusinessObjective


COBIT Reference

hot spots and cold spots. Ceiling height provides a

sense of openness, visibility, etc.

The interaction center is clean and well maintained.

Support for offices includes office facilities, e.g., printers, phone headsets, photocopiers, etc.

Workloads are managed effectively to ensure high-quality customer service.

The interaction center may be inefficient and in constant response mode.

Workload is forecast 12-18 months in the future and is adjusted quarterly, monthly and weekly based upon current information.

Attrition and training are factored in the forecast equation.

Forecasting accuracy is tracked weekly and monthly, in hopes of achieving accuracy within a +/- 2 percent range.

In addition, periods of excellent service levels, not poor service, are leveraged for goal setting.

Workflow management and work queue management are used to monitor agent’s workload and to take action to avoid backlogs or bottlenecks from developing.

DS1DS3DS7AI4


BusinessObjective


COBIT Reference

Workloads are effectively managed to ensure high-quality customer service while minimizing costs.

All resources may not be leveraged for efficiency.

Workload balance efficiency strategies include:- Site consolidations- Workload

balancing between multiple interaction centers

- Staggered shifts by 15-minute intervals

- Availability of part-time workers.

DS3


CSRs may become overburdened and unable to answer customer requests in a timely manner.

Contact center managers monitor workloads of CSRs and take action to reassign requests to smooth the workload.

DS1DS3


Requests may be assigned to over burdened employees, resulting in delays in resolving service requests.

Assignment managers are used to smooth the workload among employees and to help ensure the most qualified person is working on the problem.

DS3


Service requests may not be resolved in a timely manner due to lack of appropriate resources.

CSRs are aware of overall workloads in the interaction center and can therefore manage customer expectations on resolution time.

Contact center management monitor workloads over time and anticipate periods of increased demand for service.

DS3


Service requests may be routed to unavailable individuals, delaying resolution.

Employees are marked as unavailable in their personnel profile while on vacation or otherwise away from the office so requests will not be routed to them.

DS3


BusinessObjective


COBIT Reference


Requests may be routed to overloaded CSRs.

Customer requests are distributed evenly among customer service personnel.

DS1

The contact center is managed efficiently to ensure high-quality customer service while minimizing costs.

Contact center efficiency may decline due to inadequately trained personnel or new customer problems.

Contact center interaction times are tracked, monitored and reviewed to help ensure interaction center efficiency.

DS1DS3


Feedback may not be compiled to implement continuous improvement of organization practices.

Customer feedback is summarized and used to make decisions regarding employee incentives, policy and procedure, resource allocation and skill needs.

DS3


Contact center management may not analyze commonality among service requests, forgoing any potential efficiency gains from incorporating common service request information.

Common service requests are reported in overall interaction center statistical information.

Common service request resolution information is incorporated into the web site FAQ information and also in the IVR.

CSRs are made aware periodically of the most common service requests, to ensure they are able to efficiently answer customer inquiries.

DS1


BusinessObjective


COBIT Reference


Personnel monitoring may be perceived negatively by personnel.

Policies state that the primary purpose of monitoring is to identify individual training needs as part of an organizationwide continuous improvement effort.

DS1


Key decision-makers may not be aligned with day-to-day operations.

Senior managers regularly listen in on live calls to stay in touch with the customer and with the effectiveness of their interaction center operations. For example, team leaders typically should monitor five to ten calls per front-line personnel per month. Both silent/remote and side-by-side monitoring are used.

Team leaders shadow front-line personnel for a day to better understand call operations, job procedures, working conditions and customer expectations.

DS1DS3


Front-line personnel satisfaction may not be valued and incorporated.

Front-line personnel satisfaction is measured as routinely as customer satisfaction.

Comprehensive annual surveys are compared to specifically targeted weekly and monthly surveys to ensure continuous improvement.

DS1DS2


Customer problems may not be handled efficiently.

Tracking of methods utilized for problem resolution is performed to analyze effective vs. ineffective methods.

DS10


BusinessObjective


COBIT Reference


Employee skills may not be updated regularly in the system.

Employee skills are reviewed periodically and adjusted as those skills change.

PO7


Requests (including web form and e-mail requests) may not be assigned to appropriate personnel in a timely manner, resulting in customer dissatisfaction.

Contact center management monitors outstanding requests (including web form and e-mail requests) to ensure service requests are addressed in a timely manner.

Management monitors average resolution time for service requests.

DS1M1

Outsourcing Outsourcing arrangements are managed properly.

Outsourcing arrangements may not meet expectations resulting in poor customer service, unresolved customer needs, etc.

Service level agreements define the responsibilities and details of the expected service levels to be provided by the outsourcing organization, as well as metrics to be achieved by the outsourcer. The service level agreement includes required processing levels, security, monitoring, contingency requirements and other stipulations, as required.

Management monitors performance of the outsourced vendor to ensure that key controls are being performed. For instance, a SAS 70 report, which describes key processes and controls in place at the outsourcer, may be available.

DS2M1


BusinessObjective


COBIT Reference

Management Analytics and ReportingCalls analysis is performed to monitor service levels and improve performance.

The interaction center may not be performing at an acceptable service level.

The following areas are monitored, and if an acceptable service level is not met, performance improvement steps are taken:- Proportion of

callers to receive a busy tone due to no telecommunication

- Proportion of callers to receive a busy tone due to operational policies during the busy and other hours

- Proportion of calls that are abandoned by department and service line

- Length of time customers have to wait for an agent when they are the targets of an outbound call (best practice is zero and acceptable performance with power dialer is 1 percent)

- The proportion of average call handling time to talk time (best practice is 95 percent or better)

- Proportion of handling time to information system wait time between screens, for searches, etc . (Best practice is less than 5 percent of contact time)

M1DS3DS13


BusinessObjective


COBIT Reference

- Proportion of talk time that is wasted where the customer or agent is waiting or something to happen (best practice allows 10 percent). Wasted time includes waiting for: information from database, information from customer, to transfer call, to look up a list/book, to contact someone else, etc.

- Proportion of incoming calls that are abandoned by the caller (should be less than 1 percent, very near zero, or zero). Note: Beware misinterpreting statistics as IVR on overflow makes this easy to achieve on the ACD stats. Best practice is only achieved if IVR is fast/simple and not compulsory.

- Average setup time per outbound call attempt (best practice is less than 10 seconds per attempt)

- Number of attempts the average outbound call takes before


BusinessObjective


COBIT Reference

success- Differences

between CSRs for individual call handling time

-Average time to respond to a ringing phone and the variances between CSRs

- Average time to respond to a ringing phone and the variances between CSRs

- Average utilization and the variances between CSRs

- Number of calls per hour worked and the variances between the CSRs

- Proportion of customer transactions recorded by reporting systems

- Customer transaction history length

- Number of telephone numbers customers can use to gain access

- Proportion of calls to arrive on the three most common numbers

- Proportion of calls that use ordinary geographic numbers and the proportion that use branded NTS numbers, e.g. 800, 888, 990, etc.

- Proportion of calls that are satisfied during one call


4. Data Management Risks Work Program

The following work program will help manage data risks for customer relationship management. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance and specific knowledge of the organization and risks added to it.


BusinessObjective


COBIT Reference

Data Management StrategyThe data strategy supports the business.

The business strategy may not address data quality and data management issues.

A strategy exists to exploit data in the organization’s possession to support core business objectives.

Future CRM initiatives are discussed by senior management and communicated to the data team so that future data needs can be evaluated.

The data strategy is formally documented and approved by senior management.

Senior management views data management as a strategic business issue that is important to the success of the business.

Data management and data quality are discussed at senior level management meetings.

The use of external data from a third-party vendor is reviewed.

PO1DS2


BusinessObjective


COBIT Reference

Future data needs are understood and processes meet these needs.

Excessive costs may occur in changing data definitions and structures.

Data needs may not be met.

The major drivers of change in the collection and use of data within the organization and growth in automated decisions and processes are identified over the next two years.

All projects validate data structure/item needs against corporate data structures and comply when feasible.

The value of data held by the organization is periodically assessed and measured (e.g., users surveyed to determine how well data meets their needs).

AI1PO4DS8AI4

Data Ownership and Executive SponsorshipBusiness owners and sponsors provide support.

The business owners and sponsors may not support the data warehouse and data initiatives.

An executive director (e.g., CEO, CIO, CFO) is responsible for data quality.

A cross business unit (e.g., steering committee) addresses issues dealing with data management and quality.

A data stewardship program for all data sources is implemented. Steward drives data quality approach from the business owner’s point of view.

DS11


BusinessObjective


COBIT Reference

Data roles are defined clearly.

A lack of focus may exist regarding data quality, resulting in poor data quality.

Roles and responsibilities for data quality are identified clearly. For example, the roles and responsibilities are documented and communicated to the user on an annual basis.

A formal group is responsible for data quality within the organization.

There is one person or a group of people responsible for the quality of data within each business unit or key category of information.

There is one person or group of people responsible for responding when problems are encountered with data within each business unit or key category of information.

PO11PO10

Key data are properly identified and utilized.

Data may not be organized and understood.

Management has established categories of data by level of importance to the business.

PO2

Data


BusinessObjective


COBIT Reference

Sufficient audit trails exist.

Research and forensics may not be able to be performed due to a lack of audit trails.

An audit trail is maintained in enough detail to allow management to monitor the data warehouse activities, transactions, etc., and to meet the needs of various internal and external regulations.

Periodic, scheduled audits are performed and documented to verify that established procedures are being followed.

An audit trail is maintained in enough detail and for an adequate period of time to allow management to monitor the data warehouse activities, transactions, etc., and to meet the needs of various internal and external regulations. Preservation for a long period is one of the most important aspects of audit trails (in many cases also required by regulation).

DS10DS11M4PO8


BusinessObjective


COBIT Reference

Data quality is monitored.

Poor data quality may lead to loss in user confidence.

A center of data excellence is established within the organization to monitor the consistency of data over a period in time.

A feedback mechanism exists to determine the customer’s, vendor’s and user’s level of confidence in the organization’s data.

The quality of data held in the business, processes or systems has a means of being measured.

Vendors and the organization work together in failure analysis and trouble-shooting quality issues to resolve conflicts.

Customer complaints are reviewed for linkage back to poor data.

Reconciliation efforts are investigated to determine if they relate to data quality issues.

PO11DS8DS11

Data are accurate, consistent, complete, etc.

Data quality may become compromised.

Data policies and procedures surrounding data quality, such as accuracy, consistency, integrity and completeness, are established and communicated to the users.

Data is scrubbed and integrity checks are in place so that only quality data are moved from operational systems to the data warehouse.

Data adheres to a common definition for meaning and use, for

PO2DS11PO4DS5


BusinessObjective


COBIT Reference

example, address fields incorrectly used to record specific notes about a customer.

Data adhere to defined business rules, accepted values and accepted formats (e.g., valid industry codes).

Data contain correct values.

Data adhere to integrity constraints such as reasonableness checks, validity checks, etc.

Processes exist to validate that downloaded or incoming data are successful, by tracing it back to the system of record.

Data are checked routinely against external sources for accuracy.

Statistical sampling (e.g., fixed percent of data are checked each month) is used to assess data quality.

Access to data is restricted.

Inappropriate access to data may exist.

Data owners identify users who need access to pertinent data and provide them with only the level of access needed for their job duties.

Procedures are in place to set up users for the information access they need and are authorized to receive.

Filters block unauthorized access to sensitive or inappropriate information.

DS5


BusinessObjective


COBIT Reference

Data privacy and confidentiality are observed.

Loss of customer confidence may occur.

Policies and standards exist for data that are shared with the public web site.

Data privacy and security compliance are established.

Policies exist regarding the sale or publication of data.

PO6DS5

Data needs are complete.

Nonexistent data may lead to loss of opportunity and business growth.

Data owners identify all required information and acquire nonexisting information from outside the organization to fuel CRM initiatives.

DS11

Data are available. An inability to make business decisions due to lack of data may exist.

Data can be accessed when required and by the appropriate people.

Knowledge of data and their availability (e.g., meta data) is made known generally to user departments existing outside of IT and project teams.

The organization has a shared information system, drawing together data from a range of divisions and departments.

DS11

Data Warehouse Implementation and Data Conversion Risks


BusinessObjective


COBIT Reference

A thorough review has been completed of the existing data to be converted.

Errors or anomalies in the old system may not be identified fully, and corrections may not be managed properly.

The system has been balanced and reconciled regularly.

The system has its own internal integrity (e.g., opening balance + receipts – issues +/- adjustments = closing balance).

The security and access controls are sufficient to prevent unauthorized access or usage.

The system has sufficient input validation and error checking to prevent invalid master and transaction data from entering the system.

If tables are used, they have been maintained correctly and are current.

There are no noncurrent data in the system.

There are no missing or incomplete data in the new systems.

DS5DS11

The data conversion system design has specified the means to reconcile both the old system (internally) and the old system to new system on commencement of live production.

Balances from the old system may not be transferred properly to the new system.

The reconciliation procedures ensure that the existing system balances internally at the time of conversion.

The procedures for reconciling the old system to the system master file data and opening balance data are established.

Where the system implementation strategy involves parallel running, staged or phased implementation,

AI1AI4AI5M4


BusinessObjective


COBIT Reference

procedures for the different types of reconciliations required are identified.

Acceptance criteria, to determine whether the data conversion process has been completed successfully, are defined and agreed upon.

The responsibility for sign-off and audit of completion of the conversion process is defined and agreed upon.

The documentation and supporting materials to be retained, as proof of conversion, are defined.

The data to be converted from the old system to the new system have been defined properly.

Balances from the old system may not be transferred properly to the new system.

A match exists between all of the old system data elements and the new system data elements to determine what will be converted, what will not be converted and what will need to be created.

Requiring selection criteria, purge criteria and translation rules are clearly identified, documented and agreed upon with users.

The validation of the old data to the new system is specified and agreed upon.

Timing for the data conversion is defined and agreed upon with users.

Issues of one-to-many and many-to-one conversions are resolved.

Field length and value are analyzed.

AI5DS4DS9


BusinessObjective


COBIT Reference

The old system history, the means of retention (e.g., tape) and the duration for which it is to be held are defined.

Decisions are made in relation to any redundant data.

The means of formally closing the old system are defined.

The data cleanup process must be adequately controlled to ensure that amended data are consistent and integrity maintained.

The protection, adherence to and maintenance of data standards may be insufficient to ensure the integrity and successful operation of systems.

The approach to data cleanup is thoroughly planned to ensure that dependencies between data items are maintained.

Data items to be amended and enhanced are identified.

Criteria are agreed upon for determining the data conversion rules.

The tools/programs used to effect changes to data are tested and are reliable.

An auditable trail of the changes applied is produced for management review and sign-off by the data owner or nominated deputies.

All changes applied are reversible or can be backed out by using back-up copies of the data.

Changes are never applied directly to production data.

AI5AI6DS11

Procedures for the creation or conversion of data for the new system have been defined properly.

The protection, adherence to and maintenance of data standards may be insufficient to

Different means may be used to create/convert data for the new system, such as developing custom programs or the use of master file bulk or

AI4AI5DS2DS11


BusinessObjective


COBIT Reference

ensure the integrity and successful operation of systems.

mass conversion tools (e.g., provided in the data warehouse or CRM application). It is necessary to ensure:- If custom programs

are written, the development and testing process follows the normal system development life cycle.

- If a scanning device is to be used to create data, it is fully tested to determine capacity, accuracy and the contents of file outputs.

- If a mass or bulk conversion tool is used, it is fully specified and documented, and capacity needs determined and tested.

- If the data are keyed, the input programs are tested appropriately and data are verified on input.

- If the data are keyed by a third party (e.g., service bureau), proper instructions and input validation must be specified.

- If data are acquired, they are loaded onto the new system through standard input routines to validate its accuracy.


BusinessObjective


COBIT Reference

Adequate project management of the data conversion process is in place.

Errors or anomalies in the old system may not be identified fully, and corrections may not be managed properly.

The entire data conversion process is treated as if it were a separate systems development project. Thus, the normal project management sections should be in place including:- Adherence to a

structured systems development methodology

- Use of project management tools and techniques to define and manage resources, outputs, costs and time

- Project risk assessment

- Definition of security and access

- Definition of the responsibility for approval and the means for any adjustments discovered as part of the data conversion process.

PO9PO10DS5


BusinessObjective


COBIT Reference

Adequate testing procedures for the data conversion system are in place.

The protection, adherence to and maintenance of data standards and testing may be insufficient to ensure the integrity and successful operation of systems.

Unit, component, string and system testing of all parts of the data conversion systems are completed in the same comprehensive manner as in a normal systems implementation.

The testing to be completed includes all of the different means that will be used in the conversion process.

Depending on the implementation strategy used, this testing process is completed on more than one occasion.

AI5

Sufficient training and support exists for data warehouses.

Insufficient maintenance and support may occur for the data warehouse.

End users may not understand how to use the data warehouse and, therefore, reject it.

Sufficient resources are available to provide support and training of data warehouse personnel, end users, etc.

Staff members with responsibility for data are trained in areas such as company knowledge systems, data quality, and data ownership responsibilities.

A structure exists by which users can report data problems to the data and IT support personnel.

There are documented service level agreements (SLAs) between providers and users for data deliverables.

DS1DS7


5. Integration Risks Work Program

The following work program will help manage the integration risks for customer relationship management. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work program blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, the work program should be used as guidance and specific knowledge of the organization and risks added to it.


BusinessObjective


COBIT Reference

Data ConsistencyData are consistent between systems.

Lack of uniformity across connected systems may cause conflicts among the applications.

Data validation rules, business rules and system controls ensure the integration of data among multiple systems.

The data definition is clear for key data fields: customer, product, sales order, price, etc.

AI2AI5DS10

Data QualityQuality data are maintained between the systems.

When combining information from multiple systems into one CRM application, the risk of inaccurate data may arise. Inaccurate data leads to lack of user buy-in, loss of customers, and failure of CRM adoption.

A comprehensive data quality administration or steering committee can lead to the institution of company-wide data standards.

Data validation tools are used to validate data quality. Using tools to periodically identify and resolve data quality issues immediately can mitigate the risk for larger data quality issues in the future.

Data quality linkage among systems is defined, maintained

AI5AI6DS10


BusinessObjective


COBIT Reference

and measured. Once a data quality

administration program is implemented, the following controls are implemented as part of the program: - Concurrent access

that allows logic to be updated with many applications linked to one database/source

- Validation checks- Data entry controls- Change procedures

Data StructureData structures are uniform between systems.

Without a standard customer profile, customer information may not be consistent between systems.

Data loss and inaccuracies may occur.

A complete and thorough analysis of the data structures and data definitions is performed for each system to ensure that each application has the same definition of customer profiles and methods of storing customer data, e.g., flat files, hierarchical databases, or relational databases.

Data relationships are assessed for each system before attempting CRM integration.

XML can be used to mitigate data structure risks by presenting flexible ways to create common information formats and share the format and data.

PO2DS11

ConnectivityConnectivity is maintained to allow data access and transfer between systems.

When combining information from multiple systems into one

EAI is used when feasible and cost-justifiable.

Custom code used as adapters are inserted,

PO9PO11AI5


BusinessObjective


COBIT Reference

CRM application, the risk of inaccurate data may arise. Inaccurate data leads to lack of user buy-in, loss of customers and failure of CRM adoption

tested, documented and maintained properly.

Vendor ManagementThe CRM product meets functionality requirements and the integration effort is reasonable.

The solution may not meet functionality expectations.

The cost and effort to integrate applications may be excessive.

The trade-off between functionality and ease of integration is analyzed before selecting a vendor. For instance, an ERP vendor with a CRM extension may be much more attractive to the consumer from an integration standpoint, but the product may not meet functionality expectations.

AI1AI2

Vendors are researched thoroughly to understand the integration effort.

Integration may be too costly or difficult.

Vendors and the proposed CRM solution are researched to determine the integration effort and any issues that may exist.

Vendors that have fully integrated products, such as Siebel, PeopleSoft, Oracle, SAP and Clarify, can be utilized.

AI1AI2


BusinessObjective


COBIT Reference

Vendor performance meets the needs.

Due diligence performed by the company to ensure that the product meets requirements, the vendor and product are stable, etc., may be inadequate.

There may be a lack of quality of support from the vendor, therefore, when issues arise; the vendor may not be responsive.

Proper research is performed on CRM vendors to identify integration and functionality issues that may exist within the product itself.

Prior to purchasing a vendor product, management performs a thorough check of the vendor including reference checks, financial position check, escrow agreements, etc.

AI1AI2DS9

System Maintenance/Manageability System documentation is maintained.

A change in one area may affect numerous connected systems, cascading into voluminous re-working and re-testing of previously established connectivity.

Potential system downtime, data and productivity loss, and reconfiguration struggles may occur.

A system maintenance and modifications strategy is developed, including periodic releases of changes to customers, change approval, modification rules (“vanilla” vs. modifications allowed), etc.

Systems documentation is maintained for integration issues encountered on the project, e.g., connectivity difficulties.

Changes to systems, applications and connectivity adapters are recorded to help transfer knowledge to future systems administrators.

PO6PO11AI1AI6


BusinessObjective


COBIT Reference

System obsolescence is avoided.

Technical obsolescence may occur.

There may be a lack of vendor support for older systems.

The organization has confidence in system upgrade procedures due to proper system documentation and knowledge; therefore, the system can be upgraded to keep current with the latest release.

Sufficient planning is performed to understand the effort required to upgrade the system.

AI3AI4DS9

Post-upgrade testing is performed.

When systems are processing smoothly without incident, administrators may feel that post-upgrade testing is an unnecessary step. Therefore, testing may not be performed thoroughly.

Proper testing and debugging after system changes, maintenance or upgrades are performed to verify previously established connectivity, synchronicity and data quality.

Results are documented and any inconsistencies or errors are investigated thoroughly.

AI3AI5PO11

Interfaces are manageable.

Interfaces may grow exponentially because of the number of applications that need to be integrated for the CRM solution.

Changes in one application may ripple through other systems, potentially delaying data movement.

Manageability of point-to-point connections is achieved through use of EAI solutions. EAI usually is used for CRM projects that are large in both scope and budget due to its facilitation of data flow in real time, and its effectiveness in managing connectivity.

DS11


BusinessObjective


COBIT Reference

System PerformanceThe system is scalable.

The amount of data being transferred, acceptable speed of data transfer or the number of concurrent users may increase, thus increasing uncertainty about stability and response time.

The system may be unstable, resulting in loss of data, loss of productivity and user dissatisfaction.

Before integrating new systems, a thorough systems analysis is executed to expose system weaknesses and mitigate scalability and performance risks.

PO9AI5DS11

Data are updated in a timely manner.

CRM users may not be able to access customer data in a timely manner.

A proper assessment based on industry, volume and number of users is performed to determine if data needs to be processed in real time or with batch processing.

By taking this hybrid approach to data flow and minimizing the real-time processing needed, an organization may avoid system performance risks and still meet user needs.

DS3DS7


BusinessObjective


COBIT Reference

Backup, Restoration and ContinuityData can be recovered.

Without proper backup and restore procedures in place, organizations may expose themselves to extensive damage or loss of data as well as productivity losses.

Formal, written and proven backup and restoration procedures are documented and include the responsibilities and time expectations for recovering the system.

The restoration procedures are tested periodically and proven successful.

The organization has formally documented, tested and updated business continuity and disaster recovery plans.

The organization has a way to operate the business in the event of a disaster, system outage or interruption, i.e., manual procedures to enter sales orders, take customer service calls, etc.

DS4


BusinessObjective


COBIT Reference

Interface Monitoring and WorkflowData is interfaced properly.

There may be interface errors due to data mapping or translation tables that have changed so that the interfaces do not match, or due to data that have been received in an incorrect format.

Interface errors may not be identified, investigated and resolved in a timely manner.

Customer transactions may not be processed correctly and CRM information may not be complete.

Formal roles and responsibilities are defined for monitoring interfaces and resolving errors.

Manual or automated monitoring controls are used to ensure that interface errors are identified, investigated and resolved in a timely manner.

Criticality and frequency of the interface will help to determine the type of error identification and resolution procedures needed to ensure data completeness and accuracy. Noncritical or batch interfaces, may indicate that manual procedures are sufficient.

Reporting is defined and reviewed regularly to identify interface processing information, such as outstanding errors, days outstanding, etc.

PO7AI4DS1


6. Channel Management and Integration Risks Work Program

The following work program will help in channel management and in managing the integration risks for customer relationship management. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance, and specific knowledge of the organization and risks should be added to it.


BusinessObjective


COBIT Reference

Channel StrategyChannel strategy provides profitable customer relationships.

Messages across channels may not be consistent.

Each channel or department may operate independently, i.e., silo behavior.

Channels may not match the demands from primary customer segments of the organization.

Cross-function teams are established to create a formal channel strategy that meets customer needs and provides a profitable relationship for the organization.

Channels are matched to the demands from the primary customer segments of the organization.

Channel performance is optimized from the perspective of both the customer and the organization.

PO1

Data Integrity and Consistency


BusinessObjective


COBIT Reference

Consistent information is provided across channels.

Information regarding product availability, features and price may not be consistent across channels.

Customers may not know what price, promotion and general experience to expect each time they contact what they perceive to be the same organization.

Cross-functional teams compare information across channels.

Changes to information are considered and agreed upon across all channels.

AI2

Sales channels are integrated to provide consistent brands and information.

Each sales channel is treated as a separate operating unit and configured as a separate organization, which may generate conflicting information and sometimes may create competing brands.

Sales channels are integrated so that brands and information are consistent.

Separate operations are not created for each sales channel, but instead operations are integrated across sales channels.

DS11

CSRs understand functionality, policies and procedures across channels.

Inexperienced CSRs may not understand the functionality, policies and procedures of all channels (e.g., Internet, kiosks, telemarketing, face-to-face sales, etc).

Initial and periodic training is conducted to educate CSRs about all channels including policies, procedures, functionality, etc.

DS7


BusinessObjective


COBIT Reference

Data are normalized across all channels.

Data may not be collected from all channels.

Controls are in place to ensure data analyzed include complete and final data from all relevant channels.

DS11

Data are complete and useful.

Data and customer feedback may not be obtained from all relevant channels.

Data and customer feedback are obtained from all customer touchpoints to ensure that data obtained are valuable and present a complete view of the customer.

DS11

The CRM system encompasses all customer-facing channels.

Silo CRM solutions may have been built to service new customer-facing channels.

Inconsistent service, information and procedures across channels may exist.

The CRM solution spreads across the organization, division, etc., and therefore encompasses all customer-facing channels to ensure consistency.

The CRM system is integrated across all channels and back into the legacy systems.

AI6

Up-to-date information is available.

Customers may make repeated attempts to get tasks completed.

Up-to-date information is dispersed across all touchpoints.

DS11

Customer ExperienceCustomers are provided with a variety of channels.

Customers may not be provided with the right variety of channels; therefore, they cannot interact with the organization using their preferred channel.

Feedback is solicited and analyzed from customers to understand the variety of channels that customers want.

The channels used by the company match the preferences of the customers.

M1


BusinessObjective


COBIT Reference

Customers’ interaction occurs through their preferred channels.

Customers’ interaction may not be communicated via their preferred channel.

Customer channel preferences are understood and future contact with customers is via their preferred channel.

Customers have the freedom to interact with the organization via multiple channels, and they are not restricted to only one or two channels.

DS8DS13

The organization’s channels enhance the customer experience.

Organizations may rush to the next communication or distribution medium out of competitive necessity before studying how it will fit into their overall CRM picture.

Customer experience may not be satisfied despite the addition of new channels.

Channel development may be unbridled, therefore wasting resources.

Organizations fully explore new communication or distribution media to understand how they fit into their overall CRM picture before offering the media to their customers.

DS7DS8

Leverage of Customer Information Cross-selling opportunities are identified.

Cross-selling opportunities may not be identified due to inadequate information across channels.

Channel information is consolidated and reviewed for possible cross-selling opportunities.

PO7DS6


BusinessObjective


COBIT Reference

Customer profitability is measured across channels.

Profitability information may not be shared across channels; therefore, management will not have a full view of the customer.

Customer analysis is performed to identify the least and most profitable customers across sales channels.

Priority queuing is used to move less-profitable customers to channels that cost less to service.

DS6


7. Telecommunication Infrastructure Risks Work Program

The following work program will help manage the telecommunication infrastructure risks for customer relationship management. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance, and specific knowledge of the organization and risks should be added to it.


BusinessObjective


COBIT Reference

Call HandlingCalls are received, routed and handled properly resulting in prompt resolution.

Calls may be blocked.

Calls may be dropped.

Calls may be misdirected.

Unauthorized database access may occur.

ACD implementations are tested properly to ensure they are coded correctly to route calls to the proper agent, to provide correct announcements to a caller and to place calls into voice mail.

Only trained personnel can make changes to ACDs and those changes are tested in a controlled environment at offpeak times.

Other controls include properly configuring the tables that indicating to the long-distance telephone organization where toll free 800 numbers should terminate.

AI3AI5AI6DS7DS9


BusinessObjective


COBIT Reference

ImplementationTelecommunica-tions infrastructure is implemented properly.

Applications and systems may fail from incorrect configurations or inadequate engineering.

Changes may falsely appear to be successful, and are later, during call center peak operations, found out to be defective.

Data communications and voice communications may not be coordinated properly.

Redundancy may not be built into the systems.

Agents may not be comfortable with modifications to call flows or their work menus.

Response time degradations may exist.

Software is tested to detect programming errors.

Software is tested to ensure it operates as intended in a live environment.

Modifications made subsequent to initial testing are retested.

Systems and applications are backed up prior to installation.

Implementations are authorized and signed-off by management.

Application features are documented.

Users are trained on the software.

Acceptance testing and operations (e.g., backup and recovery) testing are performed.

Formal change management procedures exist.

AI3AI5AI6


BusinessObjective


COBIT Reference

EfficiencyCustomer interaction center operations and systems are efficient.

Serious service level impairment and excess costs may exist.

The contact center may not be organized and tooled effectively so workers have to get up for faxing, obtaining reference material, and performing other business functions away from their workstation.

Statistical analysis and real-time monitoring is used to measure and improve efficiency. Reader boards, also called marquees, are sometimes used to monitor metrics and statistics.

DS1M1

Business ContinuityBusiness continuity and disaster recovery plans can recover systems and operations quickly.

Customer interaction center operations may be interrupted.

Customers may be dissatisfied.

Costs may be excessive.

Budgets for disaster recovery options are drafted, not only to provide electronic backup systems for servers and local area networks but also enable customers to receive uninterrupted service.

Disaster recovery options that go beyond the retrieval of data, to include voice and data communication and the relocation of business personnel to alternative facilities, have been researched. Technical and business personnel have established a process so everyone knows that course of action to take when an emergency occurs.

DS2DS4


BusinessObjective


COBIT Reference

Key call center systems that have plans for recovery include:- Voice mail- Automatic call

distribution (ACD)- E-mail servers- Customer contact

database- Standard response

database The call center BCP

plan consists of the following:- Plan purpose,

assumptions, strategy, responsibilities, organization

- Plan activation, call list, recovery procedures, restoration procedures

- External contacts- Plan testing and

maintenance procedures

- A monitoring policy- Social engineering


BusinessObjective


COBIT Reference

SecurityPhysical security exists over the PBX room, adjunct equipment and wiring closets.

Service may be disrupted intentionally.

Equipment and wiring may be damaged accidentally.

Unauthorized access to confidential information (e.g., voice mail data) may be granted.

All areas related to telecommunications, including the PBX room, communications server areas (e.g., for voice mail servers) and wiring closets are protected with electronic locks and appropriate alarming.

Access to telecommunications areas is limited to those who have a need to work in the area.

Vendors and repair personnel from other organizations are preapproved for access or subject to specific control points, such as signing visitor logs and being escorted when working in the facilities.

PO4DS12

Users and telephones are assigned only the level of telephony access needed for employees to perform their work.

Users whose duties do not require long-distance dialing may make unauthorized domestic and international long distance personal calls at the organization’s expense.

Telephones in lobby areas, conference rooms and other public areas may not be restricted, so they may be used to make unauthorized

Each extension is assigned an appropriate “class of service” that permits only the level of telephony access appropriate to either the person using it or its physical location. For example:1) Only senior

executives with business need have external call forwarding enabled.

2) Only the telecom department has the direct trunk select feature, which typically is used for testing

DS5DS12


BusinessObjective


COBIT Reference

long distance calls.

purposes. It can also be used to perpetrate toll fraud.

3) If it is required for business purposes, only trained operators should have the trunk-to-trunk feature that allows them to connect an incoming caller to an outbound trunk. This feature is commonly used to perpetrate toll fraud.

4) Conference room phones should not have international dialing privileges.

Profiles are developed for broad classes of positions, including contractors, administrative assistants, executives, switchboard operators and the standard profile for most employees. These profiles relate to classes of service and other determinants of functionality.


BusinessObjective


COBIT Reference

Password controls exist for the PBX, voice mail and other adjunct equipment.

Unauthorized personnel may dial into the PBX “maintenance port” and obtain the superuser ID(s) via a password cracking utility. With this level of access, telephone records may be destroyed, and critical system parameters could be changed. Changing parameters, such as class of service, may shutdown the PBX.

Confidential information left in employee’s voice mail boxes may be obtained and greetings may be altered maliciously.

Standard good practices for passwords are used for all users, administrative users and super users, including:- Adequate password

length- Hard-to-guess

sequences- Elimination of

installation default passwords

- Published policies and procedures for all users

- Mandatory password changes every 60-90 days

DS5


BusinessObjective


COBIT Reference

Inactive or unused resources are deleted.

Unauthorized individuals may utilize abandoned or unused voice mail boxes for illegal and untraceable activities.

Analog lines connected to modems may be used to break into computer systems by bypassing the IP firewall via the voice network, and then compromising ID passwords to enter the PBX or voice mail and shutdown services.

Using telephony management tools, assets are reviewed for currency and last date of use. Unused facilities are made inactive or reused. For example, voice mail boxes and IDs of terminated employees, unused or unneeded analog lines, modem facsimile lines, and telephone extensions are removed.

IDs are examined for good practices, such as avoidance of common names, etc.

DS5DS13


BusinessObjective


COBIT Reference

PBX and voice mail security parameters are set appropriately.

Security parameters may be set to default or uncontrolled values.

Intruders may easily penetrate the PBX and commit toll fraud by illegally selling the organization’s long-distance services to others without the organization’s knowledge or authorization.

Unauthorized personnel may place long-distance and international calls, causing the organization, instead of the individual who placed the calls, to incur fraudulent charges for the calls.

All security parameters in the PBX and voice mail systems are reviewed for appropriate values. Examples include:- Voice mail, PBX

superuser IDs and administrative IDs are set to force password change every 60 days.

- Tables used to block calls to premium numbers (e.g., 900 numbers) are updated regularly.

- Trunk-to-trunk transfer is set to “No.”

- Maximum number of attempts to sign on as “administrator” is set at three, preventing the continued guessing of passwords by unauthorized personnel.

- DISA (direct inward system access) is disabled, preventing unauthorized individuals from perpetrating toll fraud. For instance, with DISA enabled, users can dial into the PBX, receive a dial tone, and then dial out and make an unauthorized call.

AI3DS5


BusinessObjective


COBIT Reference

Telecommunica-tions documentation is secured.

Trunk access codes, the maintenance port dial-in number, and other sensitive information may be obtained internally and used for unauthorized penetration of the PBX.

Manual documentation containing critical, security-related information is stored in locked cabinets.

Sensitive electronic documentation on CD-ROMs is protected adequately with passwords and other standard security measures.

AI4DS5

Specific functions that are known to create vulnerabilities are reviewed to ensure that if they are not disabled, management has made a conscious decision to keep them active based on business needs.

Hackers may use the “call forward external” feature to perpetrate toll fraud. They may accomplish this by having an accomplice call forward phones to an unauthorized domestic or international location, then call that extension so they are forwarded to the intended number.

Hackers may penetrate users’ voice mail, enter a two digit code, get dial tone and make calls anywhere in the world.

Management periodically review the security structure of the PBX, voice mail and adjuncts to ensure that excessive permissions are not granted. Examples include: - Blocking area

codes where no business is conducted

- Eliminating the ability to get dial tone from voice mail

- Eliminating the “call forward external” feature on most telephones

- Limiting call-out features within the data center

- Limiting lobby telephones to local calls only

PO2PO4AI6DS5


BusinessObjective


COBIT Reference

The PBX and related equipment are protected from unauthorized access via a dial-up modem.

Unauthorized individuals may obtain the range of telephone numbers used in an organization and war dial to identify the PBX maintenance port.

Using password crackers and other techniques, hackers may penetrate the PBX and voice mail systems.

The maintenance port on the PBX is protected by a two-factor authentication code, greatly reducing the likelihood of unauthorized access.

The analog line connecting the maintenance port to the outside world uses a telephone number that is completely out of the normal range of business numbers.

The maintenance line does not go through the PBX, but comes directly from the local telephone organization (e.g., central office).

PO4AI2

Telecommunica-tions activities are monitored appropriately.

A break-in may occur and not be detected until the volume of toll fraud activity becomes significant enough to cause obvious problems, such as excessive busy signals, indicating all trunks are being used for unauthorized traffic.

Exception reporting is well designed to identify unusual activity. For example, reports are generated that summarize calls to international locations, list all calls over four hours and show any major repetition of very short calls, indicating hacker activity.

Exception reports are summarized at a practical level to identify suspicious activity.

Exception reports are provided online, via a web browser.

Exception reports are monitored on a timely basis.

AI4DS13PO2M1


BusinessObjective


COBIT Reference

Alarm systems provide real-time alerts that operational problems or unusual events, possibly fraudulent, are in progress.

Unauthorized access may be gained to the PBX maintenance port by repeated attempts to crack the ID/password combinations.

Unauthorized attacks may not be detected.

Operational malfunctions may not be detected, so telephone service may be interrupted.

PBX management software monitors both potential fraudulent activities as well as operational malfunctions, such as failed trunk lines or PBX call flow interruption.

Procedures exist for promptly investigating and resolving fraudulent activities and operational malfunctions.

AI4DS5DS10

Telecom expenditures are monitored.

Employees may incur large internal telephone charges for the organization by frequently placing personal calls to long-distance or international locations.

Telecom charges may be summarized at a high level so that their inappropriate or fraudulent activity is not detected.

Charge-back reports are produced every month showing telecom expenditures at the departmental level to identify charges that indicate either internal abuse or external toll fraud.

Managers review charges via a browser and are able to quickly identify suspicious activity or charges.

Telecom charge-back reports are produced with sufficient detail to enable detection of inappropriate or fraudulent activity. Examples of reports include calls to toll-fraud hot spots, the top 20 long duration calls and the top 20 most expensive calls.

DS1DS6M1


BusinessObjective


COBIT Reference

External monitoring provides a second line of defense against toll fraud.

Unauthorized individuals, having thwarted the organization’s internal barriers to toll fraud, may have free reign to the PBX and pass thousands of calls through the victim PBX, resulting in very large long-distance or international charges.

Using the long-distance carrier, PBX vendor or other parties, all calls are monitored for unusual traffic patterns, such as a 500 percent increase in calls to a particular international and long distance location. The monitoring organization uses sophisticated algorithms to detect fraud.

Once unusual activity is detected, management is notified and presented with options to terminate the activity.

M1

Security restricts access to sensitive powerful functions.

Unauthorized individuals may commit toll fraud.

Access to powerful PBX and CRM functions should be restricted properly.

DS5

As a last line of defense, the organization maintains toll fraud insurance.

The PBX may be compromised resulting in a large financial loss.

Arrangements are made with the PBX vendor or long-distance carrier to purchase toll fraud insurance. Any actual losses beyond the deductible are covered.

The telecom manager reviews security measures to ensure compliance with the caveats of the toll-fraud insurance.

PO8


8. Security Risks Work Program

The following work program will help perform a high-level security audit and manage the security risks for customer relationship management. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance and specific knowledge of the organization and risks added to it.


BusinessObjective


COBIT Reference

User ManagementDefault accounts are safeguarded.

Default accounts may be compromised. Since default accounts are widely known, these are usually the first accounts that an intruder will attempt to use. Many of these accounts have powerful system access; therefore, intruders can gain extensive system access.

If default accounts are not renamed, an attacker may launch a brute force attack to guess passwords for these default accounts.

The default accounts (e.g., administrator and guest accounts) are renamed immediately after installation to an unidentifiable name.

Passwords for default accounts are changed to a not easily guessed password, e.g., a long password containing both alpha and numeric characters.

Accounts are disabled if they are not being used.

PO4AI3DS5


BusinessObjective


COBIT Reference

Groups contain only appropriate users.

When unnecessary users are assigned as members of groups that have extended privileges, they may use this enhanced ability to compromise the security of the system and gain unauthorized access to sensitive system data.

Individuals are assigned as members of the administrator’s group, only if absolutely necessary.

Users are assigned to groups properly.

The groups report is monitored on a regular basis to ensure that only authorized users are members of these groups.

PO4DS5M1

Naming conventions are established and followed for all user accounts (e.g., end users, contractors, consultants and vendors).

Users may not be easily identified, so unusual activity may not be identified.

Standard naming conventions are established and consistently followed for naming each type of user, so that users within each group can be identified easily.

Temporary accounts used for contractors, consultants and vendors follow an identifiable naming convention that allows these accounts to be easily identified and purged if warranted.

DS5DS10AI3

All users and groups in the domain are known and documented.

Domain security may be compromised, as security personnel are not familiar with authorized vs. unauthorized users.

All existing groups within a specific domain are documented according to corporate policy.

DS5

Accounts for individuals who are no longer employed or have a

Existence of accounts that are no longer needed increases the risk

Procedures exist to promptly remove unneeded user accounts from the

PO7AI2AI4DS5


BusinessObjective


COBIT Reference

requirement for system access are deleted.

that unauthorized personnel may gain inappropriate access via these accounts and it would not be identified as unusual activity.

system. They include: - Obtaining a listing

of recently separated employees from the HR department and ensuring that the former employee’s account(s) have been removed or disabled from the system.

- Automated integration exists between the HR system and the security system so user accounts are automatically locked, inactivated, changed or deleted when an employee is terminated or transferred.

- Inactive accounts are monitored periodically (e.g., after a specified period of inactivity).

User accounts are descriptive.

Extraneous, unneeded user accounts may be created.

Security administrators may not know the background of users assigned to user IDs; therefore, it may be difficult to understand if user activities are appropriate.

All user accounts have an applicable, informative full name and description, such as department, division, etc.

DS5


BusinessObjective


COBIT Reference

Passwords are secured within the registry.

The automatic logon option may embed the password of accounts in the registry in clear text; therefore, passwords may be compromised.

The default password may exist within the registry and, therefore, be compromised.

The automatic logon options for servers are not enabled. All users must enter a user name and password each time they log on to the system.

The registry is reviewed periodically to ensure that it does not contain default passwords.

AI#DS5

Any account that has not logged on for an extended period of time is disabled.

A malicious user may gain access to system resources used by these accounts.

All inactive user accounts are disabled.

User account listings are reviewed to identify the last logon times of users to ensure that no one exceeds corporate standards indicating the number of days of inactivity allowed before user IDs are locked or deleted.

If corporate standards do not exist, industry standards are used, such as 60 days of inactivity.

DS5DS7DS10PO6

Privileged user passwords are not widely distributed.

The effectiveness of passwords for sensitive or critical accounts may be weakened due to excessive distribution.

Privileged account passwords are distributed only to those individuals with a legitimate business need for such access.

DS5


BusinessObjective


COBIT Reference

Password ManagementDefault passwords supplied with software packages are changed upon installation.

Application default passwords may be widely known and therefore the default user IDs are easy targets for attacks.

Unauthorized access may be obtained if these passwords are not changed.

The administrator is interviewed to ensure that all default passwords have been renamed and/or disabled if the account is not being used.

AI3DS5

Passwords are unique.

Passwords may be easily guessable, resulting in unauthorized access to the system.

Temporary passwords do not remain in use. All new users are required to change their password upon their initial login.

Generic or predictable passwords are not used as an initial password. Each new account is created with a unique and difficult-to-determine password.

DS5

The administrator password is available for emergencies.

The system or user accounts may be locked and an administrator account may not be available, resulting in significant downtime.

The administrator password can be obtained in the event of an emergency.

The administrator passwords are stored in a physically secure location on and offsite.

DS4DS5DS10


BusinessObjective


COBIT Reference

Accounts are locked to prevent invalid logon attempts.

User accounts may be compromised through brute force attacks.

The account lockout feature is enabled and the related parameters are set in accordance with corporate security standards and guidelines.

If no corporate policy exists, industry guidelines are used, which state that accounts are locked after three invalid logon attempts and that the invalid logon counter is reset after 1,440 minutes.

Locked accounts remain locked indefinitely until an administrator manually unlocks them.

PO6AI3DS5DS7

The password for the administrator account is unique across all servers.

The useful life of any compromised passwords may not be limited.

A common administrator password on multiple systems may increase exposure to all systems, because unauthorized personnel have access to all systems if they compromise the password.

All passwords, including the administrative password, are changed periodically in accordance with corporate standards.

PO6DS5


BusinessObjective


COBIT Reference

Data are classified and mapped to security needs.

Unauthorized access to data may occur.

Data classification is a primary driver for determining the proper security measures needed.

By mapping the data to data owners and understanding the data classifications, management are able to determine what groups of users need access to data.

This data classification feeds into the design of security roles that are eventually configured into the system.

PO2PO4DS5

Strong password controls restrict access to the system.

Users may reduce the effectiveness of their specific password controls.

Unauthorized access may occur if passwords are compromised.

User-level overrides of password policies are not allowed for any user accounts, except for service accounts.

DS5

Group ManagementLocal and global groups simplify network and security administration.

Network and security administration may be ineffective.

User accounts are logically grouped through the use of global groups in the authentication domain.

Users are grouped according to similar job functions, departments or access requirements.

PO4DS5DS11


BusinessObjective


COBIT Reference

Naming conventions are established and followed for all global and local groups.

Nonstandard, unauthorized groups may not be identified easily.

Unauthorized access may occur.

Standard naming conventions are set for each type of user group. Each user group can be identified easily.

Global groups have different naming standards than local groups.

Groups are named, identifying the type of group, group purpose, and department.

No unnecessary additional groups exist on the system.

Other than the built-in global groups, no global groups exist outside of the authentication domains.

DS5DS9DS11


BusinessObjective


COBIT Reference

File System Access and ManagementAccess to application and system directories and files is restricted.

Granting excessive permissions to applications may lead to inappropriate access and unauthorized transactions.

The most restrictive level of permissions is used for application and system files and directories. No users, including IT and end users, are allowed excessive permission to application files and directories.

If under certain circumstances relaxed permissions are necessary, new groups are created to manage relaxed permissions. Then, the specific users are assigned to the new group, instead of the regular group.

Application and system directories do not allow “write,” “delete,” and “change” permissions to users.

Application and system directories do not allow “take ownership” to users.

The built-in “special” group has no permissions.

AI2DS5DS11

Data files are segregated from application and system directories.

The appropriate level of security may not be granted for each type of file, and therefore, it may be too excessive.

Directory permission levels may be assigned accidentally to executable program files.

Data files are stored in segregated directories external to the application and system directories, possibly in the data owners’ home directories, or the application-specified data directory.

AI2DS5


BusinessObjective


COBIT Reference

Maintenance and OperationsUnattended workstations are secured.

Unattended servers and workstations may be compromised.

When workstations are not being used, the accounts are logged off from the system console.

Users are forced to enable password-protected screensavers.

In Windows 2000 environments, users lock their workstations.

PO4DS5

Auditing, Logging and MonitoringAuditing is enabled for critical files and directories.

Unauthorized access to the system may not be detected and terminated in a timely manner due to a lack of audit trail.

Auditing of sensitive system and application files and directories is enabled. For instance, changes to system registry keys are audited.

DS5M3

All audit logs are archived in accordance with corporate standards and regulatory requirements.

Inadequate retention of audit logs may result in the inability of an organization to defend itself against unauthorized access.

Policies are followed properly for archiving and purging audit logs.

Organization and regulatory requirements (e.g., US Internal Revenue Service, US Federal Trade Commission) are met.

Access to “read,” “change,” “delete” audit files is restricted properly.

PO8DS5DS13M3

Audit logs are secured.

Unauthorized personnel may delete audit logs to eliminate the audit trails.

Audit logs containing sensitive system information are secured properly (e.g., password protected).

DS5DS13


BusinessObjective


COBIT Reference

System Development and Change ControlProduction application and data files are secured.

Unauthorized access to production and data files may exist.

Programmers and developers do not have access to production or intermediate program and data files.

Separate servers are utilized for production, development and testing environments. If separate servers are not utilized, developers have access only to development files and directories. They do not have any access to test and production directories.

The migration of programs from development and testing environments to the production environment is controlled through an appropriate segregation of roles.

PO4PO11AI5AI6DS9

Security Administration ActivitiesPrior user names are not displayed at login.

Unauthorized users may gain knowledge of the client domain naming standards and the user name of the last user to log on to the system. This information may be used to gain unauthorized access to the domain.

When logging on to the system, the last user name and default user name are not displayed at login.

PO6DS5


BusinessObjective


COBIT Reference

The system does not shut down if the audit log becomes full.

A full audit log may cause the server to be shutdown.

Full audit logs do not shut down the server. In some cases, it may be necessary to shut down the server when the audit log becomes full, to ensure that an audit trail is always in existence.

DS10

Only legitimate jobs are scheduled.

The scheduled service may allow an unauthorized user to execute malicious code as an administrator

The administrator is the only one to schedule jobs in the system.

If a separate individual performs this function, the administrator still retains rights to schedule jobs, but only as a backup.

DS11DS13

Operational ResilienceDisaster recovery and business continuity plans exist.

Critical operations and systems may not be recoverable in the event of a disaster.

Disaster recovery polices exist for recovering critical operations and systems in the event of a disaster.

An organizationwide disaster recovery plan exists. The plan is updated frequently and tested periodically.

DS4

System redundancy and contingency plans are used.

Hardware failures may lead to the loss or corruption of critical data.

System redundancy (e.g., mirroring, load balancing) and contingency plans are established for critical servers (e.g., web server for an e-business).

DS4

An uninterrupted power supply is used for critical systems.

Data and systems may be lost or corrupted in the event of a power loss.

An uninterrupted power supply is used for all critical systems. This provides power for the system to be shut down in the event of power loss or degradation.

DS4DS12


BusinessObjective


COBIT Reference

System backups are performed on a regular basis.

The systems may not be recoverable.

Incremental daily backups and weekly/monthly full-system backups are performed for all critical systems.

The administrator and business lead determine the frequency and completeness of backups (e.g., incremental, partial or full).

Daily and weekly/ monthly backups are stored in a secured offsite location.

DS4DS11

NetworkingWorkstation and time restrictions are enforced.

Unauthorized personnel may gain access to systems during nonpeak hours when user IDs are dormant.

Users are restricted on the system by enforcing workstation and time restrictions. Note: these controls usually are feasible only for users that utilize one workstation during set hours of the day.

DS5

Users are forcibly disconnected from servers when their login hours expire.

Unauthorized personnel may gain access to systems through unattended user logon sessions.

Network resources can be accessed only if the user is specifically authorized for access during those hours.

The appropriate block-out times are set for the user community.

Users are disconnected automatically from the system when their login hour expires

DS5


BusinessObjective


COBIT Reference

Physical AccessPhysical access to the data center is strictly controlled.

Unauthorized personnel may have physical access to the data center, and therefore, access to the system consoles and operations information.

Access to the data center is restricted properly based on responsibility/ roles.

All data center access is logged and reviewed on a regular basis.

DS9DS11DS12DS13

Security Policies and ProceduresA general security risk assessment is performed.

Without a full risk assessment, critical systems and applications may not be identified and secured properly.

A full risk assessment is performed to identify critical systems and applications and the appropriateness of security settings.

PO9

A security awareness program exists.

Users who are not reminded of good security practices may create security violations inadvertently or intentionally.

A formal security awareness program exists and is updated regularly.

All new employees must sign an employee information security policy when hired.

PO6PO7DS5

A data classification structure is identified clearly.

Without a data classification system, it may be difficult to dedicate appropriate resources to protect high-value data.

A data classification system exists and all departments and employees understand how to apply the classification system (e.g., stamping documents, watermarks).

PO2DS5

The policies and procedures are readily accessible to all employees.

Employees may not understand security policies and procedures, and therefore, they may cause security violations inadvertently or intentionally.

Security policies and procedures are widely distributed throughout the organization.

PO6PO7DS5


BusinessObjective


COBIT Reference

Security training is a part of new employee orientation.

Users who do not understand good security practices may cause security violations inadvertently or intentionally.

New hire orientation includes security awareness training.

PO7DS7

Security Administration and ManagementTerminated employees are promptly removed from the system.

Users may continue to access the system after they have been terminated and have no legal relationship with the organization.

Separations from the organization are communicated immediately to the administrator and ex-employees are removed promptly from the system.

PO7DS5

A formal security administration function exists and is communicated throughout the organization.

End users may not understand whom to call when violations are identified.

If security is not someone’s focused effort, it may be forgotten when other crises occur.

A security team or system administrator exists and is completely dedicated to the security of the corporate network and infrastructure.

PO6DS5

System, application and user access is periodically reviewed.

Inappropriate access may not be detected.

A formal periodic review process of system, application and user access is performed on a regular basis.

DS13M4

A standard profile exists for PC configurations to ensure consistency.

Unauthorized software and hardware additions may be recognized quickly.

A standard “load” or “image” exists for all laptops and desktops deployed by the organization.

Software and hardware licenses are reviewed periodically for appropriateness.

DS9DS13


BusinessObjective


COBIT Reference

System Level ControlsAdministrator activities are limited, controlled and monitored.

System administrators may perform unauthorized activities, which may not be detected.

No one person can create potentially business-crippling changes to the network.

Administrator activities are limited, controlled and monitored.

DS5DS13M1

For high-volume systems, automated monitoring tools are utilized.

Volumes of logging data may be produced daily. Without automated tools to flag possibly inappropriate access, it may go unnoticed.

System logging (e.g., inherent to the system or third-party tools) is performed.

DS8DS10DS13

Internet Information ServerThe latest Internet information server program directory structure is installed.

If the version of the operating system or applications is not current, unauthorized users may be able to exploit weaknesses.

The most current version of the operating system and application contain processing and security enhancements.

The most recent security patches have been applied to the servers.

PO3AI3DS5

Only required server extensions are used.

Unnecessary server extensions may expose the IIS server to unnecessary attacks.

The Internet information server’s application is configured to check for the existence of URLs before passing them on to the system’s DLLs.

Only required DLLs are mapped for the server.

DS5DS11

Firewall ConfigurationOnly authorized ports are allowed on the firewalls.

Unauthorized personnel may attempt to compromise the firewall or other network devices by targeting specific ports or services.

Only authorized ports are open on the firewall based on the requirements of the applications within the environment.

DS5


BusinessObjective


COBIT Reference

Online business transactions are encrypted (e.g., SSL).

Unauthorized personnel may sniff unencrypted transactions.

Online business transactions are encrypted.

DS5

Critical firewalls are configured with fail-over or fault tolerance capabilities.

In the event of a hardware failure, users may not be able to access resources (e.g., Internet).

Critical firewalls are designed to provide 100 percent uptime through fail-over or fault tolerance.

DS5

Segregation of Duties/Application-based SecurityAccess to sensitive and powerful transactions is restricted properly.

Unauthorized access to CRM functions may exist.

Incompatible duties are separated properly within the CRM system and other applications, for example:- The ability to

create a customer and process a credit

- The ability to create a vendor and approve marketing expenditures

- The ability to physically access/take spare parts and process spare parts inventory adjustments

Access to sensitive/powerful master data and transactions, for example, prices and credit limits which could be used to support fraud and collusion with a customer, is restricted properly within the CRM system.

PO4DS5


9. Project Management Risks Work Program

The following work program will help control the project management risks of a customer relationship implementation project. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance, and specific knowledge of the organization and risks should be added to it.


BusinessObjective

Risk Control Comments/ ResultsW/P Ref.

COBIT Reference

Project InitiationSenior management reviews the project charter and plan and approves the project prior to the project commencing.

Senior management may not support the project.

The project may not be in alignment with business objectives and goals.

The project steering committee reviews and approves project initiation documents to ensure that the project is in alignment with business objectives and goals.

The project is approved, with the commitment of continued senior management support.

Control is exercised over the existence of formal and written project management procedures in the organization (on SDLC bases), which provide a good starting point for effective project management.

PO1PO10


BusinessObjective


COBIT Reference

Project Scope ManagementProject scope is managed effectively.

The project may not be implemented on time or on budget due to excessive scope changes.

The project management team should adhere to the business case, taking into consideration priority objectives set and approved by senior management.

The project team always refers back to the CRM values to guide the decision-making process.

A strong configuration and change management process used when changing scope.

The scope is altered only with executive approval and a thorough analysis of the impact of scope changes.

PO10AI6DS9


BusinessObjective


COBIT Reference

Project Integration and ManagementFor complex projects, a project support office is established.

The project may not be well coordinated, managed and controlled.

A project support office is established to manage the following aspects of the project: issue and risk management, dependency management, scope management, cost and resource management, project standards and procedures establishment, project planning and integration, vendor and contractor management and organizational change management.

Roles and responsibilities are defined clearly, and a project support office is established, with resources at a sufficient experience level.

PO4PO10

The project contains well-defined business justification, budget, scope, dates and key resources.

The project may not be well defined; therefore, the business justification, budget, scope, dates and key resources are misunderstood.

During project start-up the following areas are determined and documented:- Business

justification- Budget statement

and justification- Scope definition- High-level plan

including dates and phases

- Key personnel identification and resource levels

- Key internal and external dependencies

- Critical success factors

- Key risks

PO5PO6PO10


BusinessObjective


COBIT Reference

A steering committee oversees the project.

The project may not meet objectives, milestones or budget.

The role of the steering committee is defined clearly. A determination is made as to whether the committee has approval authority or is in a guidance mode with approval authority vested in the managers, especially for the following items:- Project schedule- Project standards- Project personnel

assignments- Project deliverables

If the project is to be managed through a senior management position, this reporting line and accountability should be established and agreed.

PO4PO10

A steering committee oversees the project.

The project may not meet objectives, milestones or budget.

A steering committee is established that has representation from all the business functions involved in using, operating and setting policy for the proposed system. The following types of personnel are considered for membership in the committee:

- Senior management—depends on whether management wishes to delegate steering committee roles or perform a hands-on function

- Information systems personnel

PO4PO10


BusinessObjective


COBIT Reference

—representing database administration, data administration, e-commerce, application development, security, etc.

- Key end-users—representing major functional areas and consisting of strong individuals with key understanding of business

- Technology personnel—with key understanding of the new technology and its impact on the organization

Internal and external project dependencies are identified and monitored.

All project dependencies may not be identified or monitored. Therefore, misunderstood or undetected project dependencies may negatively impact the project.

Project team managers keep a central record of all dependencies during the lifetime of the project.

Each dependency is associated with an owner responsible for regularly tracking and updating the dependencies.

Regular meetings are scheduled to facilitate communication of dependencies between project teams.

External and internal dependencies are reported to senior management regularly, thus making management aware of possible impacts on project deliverables or milestones.

PO1AI3AI6AI8


BusinessObjective


COBIT Reference

Dependencies are managed effectively.

Issues raised by dependencies may not be resolved, increasing the risk of project failure.

Project dependencies are prioritized, and an action plan to resolve them is agreed upon and implemented.

PO1PO10

A common approach for project administration is utilized.

Separate and inconsistent approaches may be used for the administration of different projects.

Procedures and standards are in place for:- New project

definition and scope

- Common project tools (i.e., MS Project)

- Project-related travel and accommodation

- Diary management for key project personnel

PO6PO10

Changes and the possible impact they have on project deliverables and timelines are communicated, monitored and controlled.

The impact of changes to the project scope and timeline may not be identified before implementation.

Changes may be made without proper authorization.

Excessive changes may negatively impact project timing and scope.

Any change or deviation to the project baseline requires a change request to be completed and authorized by senior management before work is scheduled or undertaken.

All change requests include an impact assessment and are prioritized.

All change requests are documented in a central control log that contains the current status.

The central control log is updated on an ongoing basis.

At agreed intervals, status reports on changes are prepared and communicated to the project team and senior management.

PO10AI6


BusinessObjective


COBIT Reference

Time and Activity ManagementProject meets planned milestones and deadlines.

Project may be delivered late.

A project plan exists to provide a single and consolidated repository of task, resource and cost information.

A clear owner is responsible for maintaining the plan, i.e., rescheduling, capturing actual hours/milestones, and producing progress reports against the plan.

The project plan is baselined when work is approved initially. When additional work beyond the original scope is sanctioned through a formal change request procedure, the plan is revised and the new tasks are baselined. The baseline process saves the original estimates and schedule for comparison against the working schedule, which allows slippage and/or gain to be monitored easily.

Project performance and progress is monitored against the plan to provide an early warning of potential issues when milestones are not met within the specified timeframe.

PO10AI2


BusinessObjective


COBIT Reference

Cost ManagementCosts are controlled to stay within the project budget.

The project may exceed its budgeted costs.

Initial assessments of interfaces, data conversion efforts, customization and expertise are determined to ensure that project costs are managed and the budget is realistic.

Formal proven methodologies are used for planning resources, planning and estimating costs, and budgeting and monitoring costs.

PO5PO10AI6

Project Communications ManagementSenior management is kept regularly informed of the progress of projects and work streams.

Senior management may not be made aware of all risks and issues on a timely basis.

A communication plan and reporting schedule are defined at the onset of the project.

Reporting procedures are developed to describe the frequency and type of reporting, report distribution and personnel responsible for each critical project activity and action item.

Reporting levels, report contents and an overview of items to be tracked regularly are clearly documented.

Regular meetings are conducted to communicate project progress, raise key issues, solicit critical management input and make key decisions.

PO6PO10


BusinessObjective


COBIT Reference

The project library provides logistical and informative support to both the project support office and the project groups.

Pertinent project information may not be available and readily accessible to all team members.

A target list of documents to be collected in both hard and soft (electronic) formats is compiled.

The library is set up and operates so that:- Reference material is

easily accessible to all project personnel.

- Distribution of sensitive documents is controlled.

- Standard version control of documents is maintained.

PO10

Documents are produced and changed according to project standards.

Project team members may create documents without following consistent standards.

Standard software tools are utilized throughout the project.

Standard templates are utilized.

Deliverable documents are subject to version control.

Documentation standards are established and followed consistently for all key project deliverables.

AI4PO11


BusinessObjective


COBIT Reference

Project Personnel ManagementProject personnel should be managed appropriately.

Personnel may not understand their project roles.

Key personnel may be lost from the project and the organization, causing the solution to fail.

The organization should perform project personnel planning to ensure that:- Project roles and

responsibilities are defined clearly.

- The best resources are acquired to work on the CRM project.

- Resources are trained properly to perform their project roles.

- Teams work well together.

If heavy reliance is placed on outside resources or contract staff, sufficient knowledge transfer is ensured by pairing company personnel with technology/application experts.

Contingency plans and incentives are provided to ensure that project personnel remain in key knowledge champion positions once the system is implemented.

Dependence placed on contract staff is moderated.

PO7PO10DS2

Organizational Change Management(Refer to work program 11. Organizational Change Management, for a detailed work program surrounding this area.)


BusinessObjective


COBIT Reference

Project Risk ManagementAll risks that may impact the project are identified, documented and managed.

All potential risks may not be identified.

Unmitigated risks may cause the project to fail to achieve deadlines, costs or operational objectives.

A formal risk assessment is undertaken at the start of the project.

Each member of the project team is given the opportunity to voice risk concerns throughout the duration of the project.

All risks are captured and documented in a risk log on an ongoing basis.

The project support office is responsible for maintaining a risk log and for up-channeling risk issues to senior management.

Each risk is associated with an owner. The owner is responsible for developing a strategy to mitigate the risk.

The strategy includes a brief plan of action to be taken and the impacts that the risks have on the current project deadlines, costs, or operational objectives.

PO1PO9PO10

All issues arising throughout the project are communicated and resolved in a timely manner.

Issues may not be communicated to the appropriate levels within the project or organization.

Issues may not be resolved in a timely manner.

All issues are captured and documented in an issue log on an ongoing basis.

Each issue is associated with an owner responsible for its resolution.

At agreed intervals, status reports on issues are prepared and communicated to project managers.

An escalation procedure is established to handle issues that cannot be solved at the project level.

PO6PO10PO11


BusinessObjective


COBIT Reference

Quality ManagementProject outcome meets or exceeds customer requirements.

The final project may not meet customer expectations.

The desired benefits of the project may not be realized.

The organization’s existing quality processes are used to establish a project quality framework.

Project quality controls and standards are established and applied consistently throughout the project.

Acceptance and completion criteria are established and used to facilitate quality control of deliverables.

Quality checkpoints are established and used to measure project processes and deliverables against quality standards and criteria.

Overall escalation procedure and levels of responsibility are established and used to escalate issues and resolve disputes over rejection and rework.

Project quality is audited on an ongoing basis.

PO10PO11M1

The project is closed formally without significant open items.

Implementation activities may not be completed satisfactorily.

Contractual issues associated with project closure may not be completed.

Lessons learned from project issues may not be identified.

All project documentation is completed and filed.

A project exit review is conducted to ensure that all project tasks are completed satisfactorily.

Project contractual issues are resolved.

Project completion documentation is produced and formally signed-off.

Lessons learned are discussed and documented.

PO10


BusinessObjective


COBIT Reference

Technology ManagementVendor performance is monitored against contract specifications.

Vendors may not adhere to contract specifications.

A vendor management process is defined and consistently applied throughout the project to include:- High-level and

detailed definition of requirements

- Quality standards- Quantification of

risk associated with hiring the vendor

- Competitive tendering

- Contract requirements

- Vendor performance monitoring

- Deliverable(s) acceptance only if the final product meets or exceeds expectations

PO10DS1DS2


BusinessObjective


COBIT Reference

Regulatory ComplianceThe CRM project and solution meets regulatory, security and privacy requirements.

The CRM project and/or CRM solution may not be implemented in compliance with regulations and security and privacy requirements.

Project managers must understand the regulations and security and privacy requirements facing their CRM projects. They incorporate project tasks into the project plan to ensure that they are in compliance with regulations that impact their project or the CRM solution, for example: - US Gramm-Leach-

Bliley Act (GLBA) - US Computer

Systems Validation - US FDA Electronic

Signatures and Records Requirements

- US 21 CFR Part 820 - US Health Insurance

Portability and Accountability Act (HIPAA)

- EU Data Protection Directive

PO8PO10

Cultural differences are considered when developing and implementing the CRM solution.

When CRM solutions are implemented across borders, or globally, additional complexities may be introduced. For instance, cultural and economic differences may make strategies and solutions that work in one country not practical for other countries.

Careful attention should be paid to cultural differences and a representative from each country is included in defining the CRM strategy/ vision, business case, analysis, design, etc.

PO6PO7PO10DS1


10. Benefits Realization Work Program

The following work program will help to ensure that the organization is realizing the benefits from the customer relationship management implementation project. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance and specific knowledge of the organization and risks added to it.


BusinessObjective


COBIT Reference

Defining Business BenefitsThe CRM initiative is clearly defined from the beginning, with clearly articulated anticipated benefits.

The organization’s objectives for initiating a CRM project may not be clear.

Management’s expectations may not be articulated.

The desired benefits may not be defined realistically.

A business case is developed for the CRM project.

The business case clearly identifies desired business benefits.

The business case prioritizes the organization’s objectives.

The business case presents the expected return on investment (ROI) and expected payback period.

PO1PO5PO10


BusinessObjective


COBIT Reference

The project plans and deliverables are linked to the business case and desired benefits.

The project may progress without a relationship to the business case.

Project decisions may be made without regard to original project objectives and values.

The organization may end up with a final project output that does not meet expectations.

Anticipated benefits are mapped to specific project deliverables during the project planning phase.

All enabling benefits are linked to direct benefits to determine the complete benefit path for achieving the desired business results.

All dependencies to project deliverables are identified and included in the benefit path.

Every project deliverable is linked to a desired objective or business benefit.

PO10

Accountability is assigned for achieving each benefit.

Sponsors for benefits may not be identified.

All activities necessary to achieve the benefits may not be completed.

An appropriate business or process owner is identified and assigned accountability for each benefit.

Accountability rests with individuals who can impact or influence the delivery of project outputs (e.g., process, technology or people changes).

PO5PO9

Monitoring BenefitsBenefits monitoring is a continuous process throughout the project lifecycle.

Project decisions may be made without regard to the original project objectives and values.

The final project output may not meet expectations.

Accountable individuals are part of the extended project team and are involved actively.

Project decisions are reviewed against potential impact to anticipated benefits.

PO10


BusinessObjective


COBIT Reference

The indicators are identified for measuring success.

The organization may not be able to measure performance and success of the project.

Success indicators are defined and communicated clearly to the project team.

Baseline performance data are collected to provide the basis for comparison.

Appropriate sets of metrics are developed for direct and enabling benefits.

Tools are used to facilitate collection of data and calculation of results.

M1PO10


11. Organizational Change Management Work Program

The following work program will help to ensure that the organization is managing the organizational changes from the customer relationship management implementation project. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance and specific knowledge of the organization and risks added to it.


BusinessObjective


COBIT Reference

Organizational Change Management ProcessThere is a defined project workstream to address organizational change.

There may be a lack of focus and activities to address organizational change

No one may be assigned responsibility or accountability for organizational alignment.

All activities necessary to achieve organizational change may not be completed.

Change management activities are included in the overall project planning activities for the CRM implementation.

Change management timelines and milestones are incorporated in the project plan.

The change management team is included in all project team meetings.

The same level of reporting and monitoring of change management activities is required as with all other project workstreams.

AI6PO6


BusinessObjective


COBIT Reference

Change management requirements for the CRM implementation are defined.

If the extent of changes that will result from the CRM implementation are not clearly understood, the appropriate steps to prepare the organization may not be undertaken during the course of the implementation.

The objectives of the CRM implementation and its intended business results are articulated.

The changes (process, systems, organizational structure, staffing, etc.) that may be required are identified.

An owner for each of defined change is identified.

The change owner is engaged as early as possible in the implementation.

PO1PO4AI6

Project StrategyThe project strategy delivers quick wins, if needed, to encourage morale and adoption.

Sustained organizational commitment and support to the initiative may wane over time, without demonstration of quick wins that clearly show the benefits of CRM to the organization.

The organization is focusing on delivering quick wins when planning for the project to help ease user adoption and build excitement for the new solution.

Demonstrable improvement to the process, or people’s ability to contribute to the project’s end goal, are shown.

Quick wins are communicated and celebrated to maintain momentum and encourage continued change support.

PO10


BusinessObjective


COBIT Reference

The timing of organizational change activities is closely aligned with project activities and timelines.

Organizational change activities may not be done in coordination with implementation activities and communication.

An attempt at addressing organizational change may be made only at the time of, or after, system rollout.

Plan activities in alignment with overall project milestones.

Change management timelines and milestones are incorporated in the project plan.

Include change management team in all project team meetings.

AI6PO10

Project SponsorshipLeadership is engaged in change management initiative.

Management support may not be obtained; therefore, it is not sustained during the implementation.

Senior management buy-in of the required changes is obtained.

Senior management commitment to and support of change management activities that will be carried out to prepare the organization are obtained.

A sponsor who will be personally vested to ensure project success is identified.

PO1

Department Involvement and Employee RepresentationCommitment is obtained and maintained from key departments and employee representatives.

If no commitment is obtained from specific individuals to drive change management, activities will not be carried out as planned, and will end up falling back to members of the project team.

The teams are built that are responsible for carrying out change management activities.

Involvement and participation come from all affected departments and the top performers are part of the project team.

A communication framework is established that will address communication needs for all levels—project teams, stakeholders, end-users, etc.

PO3PO4


BusinessObjective


COBIT Reference

Plan for Change/Resistance to ChangeChange strategy is defined.

The organization’s change readiness is not assessed, and therefore activities may not be in line with organizational requirements.

The organization’s readiness to adopt the required changes has been assessed.

The change management activities are planned and defined in line with the organization’s change readiness.

A change management governance structure is established that is responsible for ensuring that change management activities are being carried out as planned.

AI6

A change management culture is developed.

The project team and end users may not embrace the changes.

A change management culture exists to impact the values, behaviors and mindset of the project team and end users.

PO6

The organization’s change readiness is assessed and considered.

The organization may not be ready for the changes being introduced through the new CRM implementation.

Change readiness exists along the lines of the following categories.- Project management

risks Project

management expertise

Project management methodology

Program management

Project tools Project planning,

monitoring, milestones

Project controls Project scope and

approach Vendor and

contractor management and deliverables

Project staffing

AI3AI5AI6DS4DS7DS8DS10PO9PO10


BusinessObjective


COBIT Reference

Project training Project

communication- Technical risks

Hardware and software design methods

System architecture design methods

Networking acceptance procedures

Performance, sizing and availability acceptance procedures

Disaster recovery and business continuity plans

- Functional risks Requirements

definition methods

Business process design methods

Data management methods

Reliability and usability

Legacy system integration methods

Program change management

- Executive sponsorship Alignment with

other initiatives Commitment Executive Support Sponsorship

- User acceptance testing approach and results Conference room


BusinessObjective


COBIT Reference

pilot Test environment Test data Test approach Validation and

sign-offs- Organizational risks

Organizational alignment

Release integration Business process

redesign methods

Organizational change management

Business process change integration approach

Skill gap analysis and retraining

Documentation- Operational and

production support Problem resolution

and escalation User support (help

desks, etc.) IT production

support plans Documentation

- End-user training and pilot Training program Training schedules

and participants Trainees’ feedback


BusinessObjective


COBIT Reference

Organizational change addresses the appropriate areas such as training, organizational restructure and employee readiness.

There may be lack of readiness from the organization to accept and implement CRM.

Organizational alignment and reorganization may not be considered.

Appropriate training and timing of training for users may be inappropriate.

The organization’s training needs have been assessed.

Adequate training in line with the organization’s requirements is planned.

CRM champions are identified who will help communicate the benefits of CRM throughout their respective section of the organization.

Changes in functional responsibilities are identified and plans exist for any necessary organization restructure.

PO7

CommunicationOrganizational change includes constant education and communication with employees and sustained stakeholder management.

There may be a lack of communication with employees, users and customers.

Communication may be provided without context to implementation activities and implications.

The business case and benefits may not be communicated clearly with the message of upcoming change.

Rumors of project activities and implications may be apparent prior to any formal communication.

A communication framework exists, addressing information needs at all levels.

Existing communication channels are utilized to leverage the organization’s infrastructure.

Steps are identified to encourage regular dialogue with the user community. Questions are encouraged and feedback solicited as early as possible, and throughout the implementation.

User concerns are addressed, to minimize speculation.

PO6PO11


BusinessObjective


COBIT Reference

A change vision is understood.

Users may be apprehensive of the changes that will occur and do not understand the overall impact.

Users may reject the changes.

A strategic vision is developed and communicated within the project team and the organization. The vision is comprehensive and operational so employees understand the overall impact and also how it will impact their job function.

A compelling change story exists for the organization, functions impacted and specific employee roles.

PO1

TrainingEmployees and customers receive the proper training.

Training may not teach workflow, processes, internal controls (e.g., approvals and monitoring controls), and new roles and responsibilities.

Problems with integrity of transactions, quality of data, timeliness of input, lack of consistency in monitoring controls, etc., may exist.

Training is planned sufficiently with adequate time allotted and training materials to support the users.

Various teaching methods are used to promote retention of information.

The training includes the user’s role in the new organization, the new processes and their responsibilities, in addition to how to use the system.

PO7


BusinessObjective


COBIT Reference

Functional Roles, Skills and SecurityThe organizational structure changes are understood.

Employees may reject the changes due to lack of understanding.

An organizational reporting structure exists.

Employees’ roles and their corresponding performance measures are clearly communicated.

Integrated workgroups are used to develop the new solution to ensure a clear cross-departmental understanding.

PO4PO7

Roles and responsibilities are defined clearly.

Incorrect security may exist.

Incompatible duties may not be segregated properly.

Training may not be built properly.

Employees may not have the right skills for their new roles.

Roles and responsibilities are developed early in the implementation project to ensure ample time for security, training and documentation of new responsibilities.

Role-based application security is built and users have access only to transactions and information they need for business purposes.

A segregation of duties matrix ensures that incompatible duties are properly segregated.

Training is in place for all functional roles and include interaction with other roles/departments and the overall business processes, workflows, and corresponding impacts.

Skill and training gaps are identified early in the implementation to ensure that employees can be properly trained.

PO7PO10DS5DS7


BusinessObjective


COBIT Reference

Management Information and Data SharingManagement are able to obtain useful management information and data from the CRM system.

Employees may reject new data sharing models.

Management information and data may not be useful.

Employees can earn incentives for maintaining accurate and timely information in the new systems.

An understanding of the benefits to the organization and to specific groups of employees from maintaining accurately and timely information is communicated.

DS10

Business Process ChangeBusiness processes are changed to accommodate the new CRM solution.

Departments and processes may not be realigned properly.

Employees may not understand cross-departmental workflows and business processes; therefore, they need to be understood by the project team when they are building the new CRM solution and also by the end-user departments who will be using the new system.

Business practices and daily operational processes are reviewed, in light of the CRM capabilities, to align them with CRM objectives, streamline the processes to become more efficient and take advantage of best practices.

PO4M1


BusinessObjective


COBIT Reference

Reward MechanismsPerformance management techniques are used to drive the right behavior.

Poor behavior may be encouraged, while good behavior may be discouraged.

Performance metrics and management techniques to drive the right behavior are used. These include rewards for the project team and end users to encourage that the system be implemented on time, on budget and according to expectations, and then adopted by end-user departments.

PO11


12. Privacy Work Program

The following work program will help to manage the privacy risks surrounding customer relationship management. Any person auditing, reviewing or advising on controls in a CRM project will need to select tasks from the work program and to consider the key issues raised in the IT Governance Institute publication Risks of Customer Relationship Management as part of their preparation. The work program should not be used as a checklist of best practice, but as a selection of examples of good practice that can be applied. By using the work programs blindly, there is a risk of losing the confidence of the auditee and even of missing the largest risks in the project, due to the peculiarities of each project. Therefore, work programs should be used as guidance and specific knowledge of the organization and risks added to it.


BusinessObjective


COBIT Reference

Access Employees’ access to personal and sensitive information within the CRM system is controlled appropriately.

Inappropriate access to personal information may result in misuse of the information and noncompliance with the organization’s privacy notice and policies and procedures.

Employees’ access to personal information is limited to the information they need to perform their job functions.

A business case is required before employees receive access to sensitive information. For example, all access requests are reviewed and formerly approved (signature) before a user is granted access to the system.

PO2DS5DS11

Employee access to personal information is reviewed on a regular basis.

Employees may have inappropriate access to personal information due to changes in job status or responsibilities.

Regular reviews of employee access to personal information within the CRM system are performed. The reviews are designed to determine whether access levels should be adjusted based on employees’ current job responsibilities.

PO7DS5DS11


BusinessObjective


COBIT Reference

Sensitive personal information collected and maintained in the CRM system is secured.

Personal information may be unsecured and accessed by inappropriate parties, which could result in noncompliance with the organization’s privacy notice.

Strong authentication and authorization controls, firewalls, operating system controls, and encryption standards secure sensitive personal information.

DS5DS11

Physical controls protect against identity theft.

Unauthorized use of customer accounts may result in financially unrecoverable losses for the organization. Note: although electronic access is growing in importance, access to paper documents by improper individuals still poses a great risk of identity theft.

Printed outputs from the CRM system (e.g., statements, forms, applications) and handwritten notes taken by employees are disposed of properly. Alternatives include locked garbage/recycling can and outsourcing to professional disposal organizations.

Documents sent to customers are reviewed regularly to ensure that they contain the minimum information necessary.

DS9DS12

The use of government issued identifiers, such as social security numbers, is assessed and limited.

Overuse of identifiers issued by national authorities increases the risk of identity theft and may make customers uncomfortable with their privacy.

A risk assessment of current practices is performed and high-risk areas addressed.

Policies around the use of government issued identifiers are created and monitored.

PO8PO9


BusinessObjective


COBIT Reference

Best practice user and caller identification methods are in place.

Without appropriate authentication procedures, organizations may provide personal customer information to inappropriate parties.

On a regular basis, review changes to caller authentication questions. Caller authentication questions are those questions that the customer can provide the answer to, but would be difficult for a stranger to answer.

DS5DS11

Regulatory ComplianceThe organization identifies the privacy legislation that it is subject to for all the countries and territories in which it operates.

Organizations may be unaware of the privacy legislation they are subject to and may not be able to meet regulatory requirements.

New privacy legislation is monitored in the countries in which the organization operates on a regular basis. Any new legislation or updates to existing legislation are reviewed and forwarded to the appropriate individuals.

PO8

The organization implements compliance programs for applicable privacy legislation.

Organizations that do not implement appropriate compliance programs may misuse customer information and be subject to regulatory action.

Compliance occurs in a timely manner within the appropriate divisions in the organization.

PO3PO4PO8

The organization monitors compliance with privacy legislation on an on-going basis.

Lack of monitoring may lead to noncompliance with privacy legislation.

Internal or external parties conduct privacy audits on a regular basis.

PO6PO8M1


BusinessObjective


COBIT Reference

All system changes with a material impact on customer information must pass a privacy test.

The business units requesting system changes and the development team responsible for implementing them may not be aware of privacy issues.

Without a formal review of changes that impact the use of and access to customer information, organizations may use the information inappropriately.

The privacy management team is a part of the system change methodology. Working with the development team, it develops a test or set of standards that must be met before system changes that may impact customer privacy are implemented.

The individual(s) responsible for reviewing changes are independent of marketing, IT, and functional areas that made the change request.

PO6AI6

Emerging privacy laws are monitored for their relevance to systems.

Unexpected privacy law changes may require costly and unplanned changes to systems and procedures.

Organizations may not implement the changes at a time that is most cost-efficient.

A formal method for tracking relevant emerging legislation is in place.

Possible functional changes are discussed with IT to ensure that the system changes are made at the most opportune time in the development cycle.

PO4PO8AI6


BusinessObjective


COBIT Reference

Privacy Organization and ManagementThe organization has personnel responsible for addressing privacy concerns.

Privacy issues may be present within the organization, and they may not be detected and addressed due to the absence of a privacy group or a chief privacy officer who focuses on privacy regulations and issues.

Noncompliance with privacy regulations may exist.

A privacy organizational structure is developed and implemented at the organization.

The structure is staffed with individuals who are knowledgeable about privacy issues, provided with authority to implement the necessary privacy procedures and given appropriate funding.

PO7

The privacy group is involved with decisions that affect personal information.

Personal information may not reflect implications of privacy policies and applicable privacy legislation.


The privacy group is consulted when decisions are made that involve personal information.

Privacy policies and applicable privacy legislation are considered when making decisions affecting personal information.

PO4PO8

Employees are made aware of the organization’s privacy policies and procedures for handing personal information.

Employees may use personal information inappropriately.


Privacy policies and procedures are developed and distributed to all employees.

Employees are trained on privacy policies and procedures.

PO7


BusinessObjective


COBIT Reference

DisclosureThe organization’s privacy notice accurately describes its practices regarding the collection of personal information.

Personal information that is collected from consumers and entered in the CRM system may not follow the collection practices outlined in the organization’s privacy notice.

The method of collecting personal information is described fully and accurately in the organization’s privacy notice and its privacy policies and procedures.

The privacy notice addresses all personal information whether posted online, mailed to customers or developed for internal use only.

Any new practices or uses of customer information are reflected in the privacy notice.

PO6PO8DS5

Full and accurate disclosure of the organization’s privacy practices is provided to customers in a privacy notice.

Customers may not want to transact with an organization if they do not know how their information will be used and secured.

Industry best practices and applicable privacy regulations are reviewed, and an inventory of organization practices conducted, to develop a formal privacy notice.

The privacy notice is communicated to employees and customers. The privacy notice is updated each year to ensure it aligns with current business practices. The updated privacy notice is communicated to all employees and customers annually.

PO8AI4DS5

The organization monitors compliance with its privacy notice.

Activities may not be performed in accordance with statements in the privacy notice.

Internal audit or members of the privacy group review compliance with the organization’s privacy notice on a regular basis.

Any new practices or uses of customer information are reflected in the privacy notice.

M1M4


BusinessObjective


COBIT Reference

Training and Procedural ControlsCSRs are trained on the organization’s privacy policies and procedures.

CSRs may be improperly trained; therefore, they may provide inaccurate or misleading information about organization privacy practices.

CSRs may provide customer information inadvertently to individuals attempting to compromise the customers’ identities.

CSRs are recognized as a critical point of contact for customers around many issues, including privacy. Therefore, they are provided with comprehensive training on:- General privacy

topics- Privacy risks- The organization’s

privacy guidelines- Safeguards against

pretext calling- Regulatory

requirements- Opt-out procedures- The right of

customers to access their information; methods to access customer information

- Scripts to be used to provide a clear and consistent privacy message to consumers

PO4PO6PO7DS5DS7

CSRs process customer opt-in/opt-out requests in a timely and accurate manner.

Customer information may be used inappropriately.

Customer dissatisfaction and regulatory oversight may occur.

Opt-in/opt-out requests are processed within a period of time defined by the organization’s privacy management.

Opt-in/opt-out requests are reviewed periodically to ensure they are entered and processed properly.

PO6PO8AI4


BusinessObjective


COBIT Reference

CSR behavior and privacy messaging are monitored.

Improper privacy messaging may occur, which may contribute to identity theft and improper opt-out procedures.

CSRs are informed that their conversations may be recorded and monitored.

Conversations are reviewed periodically to ensure that appropriate privacy messages are given to customers and that privacy procedures are followed.

PO6PO7


crm work programs

Documents

control professionals

control standards

control practices

control associationwith

control association

specific control circumstances

useful audit programs

purpose of audit programs