Transcription
LEADINGWITH GRCCommon ControlsFrameworkSundar Venkat, Sr. Director Technology ComplianceSalesforce
Forward-Looking StatementsStatement under the Private Securities Litigation Reform Act of 1995:This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertaintiesmaterialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressedor implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forwardlooking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and anystatements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned,or upgraded services or technology developments and customer contracts or use of our services.The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering newfunctionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in ouroperating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of anylitigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relativelylimited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service andsuccessful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprisecustomers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annualreport on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. Thesedocuments and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Website.Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently availableand may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon featuresthat are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.GRC for High Performers GRC Summit 2017 All Rights Reserved
Together, We’re Building a Path Forward2.39B25K 389B2M “Innovator ofthe Decade”The world’s mostinnovative companies2011 2012 20132014 2015 2016September20162009 2010 20112012 2013 20142015 2016 2017Q1 FY18revenueemployeesin GDP impactby 2020jobs createdby 2020IDC White Paper, sponsored by Salesforce, "TheSalesforce Economy," August 2016GRC for High Performers GRC Summit 2017 All Rights Reserved
The Age of the CustomerConnect to your customersin a whole new lServiceA Single Viewof the CustomerConnectedProductsGuidedSalesGRC for High Performers GRC Summit 2017 All Rights Reserved
Who we are. What we do. How we do plianceforCore CertsPartnershipswith theBusinessDesign for2020(Maturity &Efficiency)IntakeProcessfor NewCertsSustainElementsof TrustTrustedSecurityAlways OnAvailabilityPerformanceat ScaleGRC for High PerformersGlobal AMPISOJapanPmarkGermanyAustraliaUK CyberCompliance GRC Summit2017 iRAPAll Rights EssentialsReservedTUV
Compliance Scalability Challenges Salesforce continues to grow rapidly acrossvarious industries and geographies. Thenumber of compliance frameworks,regulatory requirements and stringencycontinues to increase. We did not have astandardized baseline across complianceframeworks across various Salesforceservices Certifications/Audits occur throughout theyear, causing audit fatigue to BusinessPartners Lack of consistency in evidence collection Inefficient control testing with no reuse ofaudit evidence Intake of new compliance frameworkscumbersomeGRC for High Performers GRC Summit 2017 All Rights Reserved
Common Controls Framework (CCF) - VisionCompliance Center“We are the global standard of excellence in internal audit, compliance and risk services.We enable the company’s success.”1. Strengthen Governance Secure ExecutiveCommitments Implement & ExecuteGovernance Model Drive Adoption & EnableChange ManagementTraining & Awareness Align Audit SchedulesConsolidate AuditorsStreamline EvidenceGatheringConsolidateRemediation Asks Activity Completed Activity UnderwayGRC for High Performers3. Develop & OptimizeCompliance Content2. Streamline Audits Develop CCF ApproachIntegrate Risks intoFrameworkComplete Mapping &Develop ContentContinuous Surveillance& Content Refresh 4. Transform Risk &Compliance Processes Internal ControlsMonitoring Process MaturityAssessmentMature Technology RiskManagement FunctionContinuous ProcessImprovements 5. Implement EffectiveGRC & ToolingDefine RequirementsEvaluate & SelectVendorImplement SystemOngoing Maintenance Planning / GRC Summit 2017 All Rights Reserved
CCF AccomplishmentsHighlights CCF maintained on MetricStream Internal stake holders involved: TechCompliance, Engineering, Infrastructure,Information Technology, Security Scope: 17 frameworks; 5,128requirements Final consolidated control count: 326 % consolidation to Salesforce controls:93%Accomplishments Created baseline of controls acrosscompliance frameworks Minimized touch points with businesspartners and reduced audit fatigue Streamlined process and re-use ofevidence across frameworks Optimized intake for new requirements Enabled embed compliance across thecompany and more efficient complianceexecutionGRC for High Performers GRC Summit 2017 All Rights Reserved
CCF Change Management & SustainabilityPwC1.0 Authoritative Source MonitoringBPTCTC/BP3.0 Content RefreshIdentify changes to compliance landscapeRefresh CCF Content LibraryRevisions oradditions to existingframeworkrequirementse.g. PCI 3.1 to3.2, or a newframeworksource2.0 Change OperationsNew or updatedcommon controls(Control and AuditAttributes)Determine applicability and impact to CCF content libraryChangedbusinesscontexti.e. newacquisitions,frameworks,products &servicesNew, changed,or retiredrequirementse.g. ISO, NISTGDPRChanges duringaudit cycles(TC or External)i.e. TestProcedures,Evidence,Control OwnersChanged CCFdata attributesContentrefreshprocessrequired?e.g. Control ID, IntegratedRequirement, ControlImplementation StatementOfflinereviewsBP SignoffYesTC SignoffMetricStreamTCSignoffNoGRC for High Performers GRC Summit 2017 All Rights Reserved
MetricStream Journey and Timeline2015System SelectionSolution DesignBuild vs. BuyVendor Selection: MetricStreamProcess and DataReadinessRefine RequirementsProcess AlignmentData HarmonizationImplementationPhase 1 - SOX & IT Compliance ModulesPhase 2 - IA and ERM ModulesPhase 3 - SOX & IT ComplianceEnhancementsPhase 4 - SOX 3.0 SubCertsCompleted20162017Oct 2015 Jan 2016Jun 2016 Aug 2016Phase 1Nov 2016 - May2017Phase 2May 2017 - Oct 2017Phase 3May 2017 Jul 2017Phase 4 May 2017 Jun 2017ActiveGRC for High Performers GRC Summit 2017 All Rights Reserved
GRC for High Performers GRC Summit 2017 All Rights Reserved
TestingLibrariesEvidence GatheringInternal AuditSingle Sign OnFindings/RemediationHR System IntegrationOther SystemIntegrationsEnterprise RiskManagementAudit Planning/ScopingSOX CertificationsEmail EscalationsGRC for High Performers GRC Summit 2017 All Rights Reserved
Thank You!Continue the conversation online #GRCSummitGRC for High Performers GRC Summit 2017 All Rights Reserved
A Single View of the Customer Guided Sales Connected Products. . CJIS DoD Australia HIPAA iRAP Germany TUV UKCyber Essentials Infrastructure Trust IT Corp Legal Dev GBO. . Single Sign On HR System Integration Audit Planning/Scoping Internal Audit Enterprise Risk Management SOX Certifications
