Audit and Microsoft Dynamics CRM? Really?

At a recent Microsoft conference, I was chatting with a few developers about security in Dynamics CRM. When I mentioned that many auditors at our customer sites were taking a harder look at CRM, the comment was met with puzzled looks. Why would auditors care about CRM?  It's just customer info right?

At many organizations, Dynamics CRM has developed beyond an electronic rolodex and has become a key system used to track key prospect, customer, inventory and personal data.   Any time an application is used to store critical or high risk data, the auditors are going to want to see controls in place around that data.

Additionally, as CRM evolves into XRM, more companies are maintaining inventory, orders and payments inside the CRM system. Inherent in these types of transactions is risk related to fraud, privacy, misappropriation and misstatement of financials. Controls need to be developed to mitigate these risks. These controls might be application security, database security or processes outside of Dynamics.

Finally, there has been increasing legislation around privacy and protection of personal data. Since so much of the data tracked in CRM is personal, companies are finding increasing demands for CRM security and monitoring. This is especially true in regulated industries such as healthcare, pharmaceuticals and even sports ticket sales.

So the auditors are coming. What to do? As a starting point, use the following 3 key focus areas.  First, understand who has access to Dynamics CRM. Set up a process to review access permissions on a periodic basis. Clearly define a report that shows the users and the access that each user has.  Second, monitor the changes being made to the data.   We not only need to understand who has access to the data but what they did ...