When Salesforce Meets SOX, Part One: User Access
We’re seeing more and more that SOX auditors are turning their attention to Salesforce systems. It’s a trend we’ve noticed for some time, but there’s still a lot of uncertainty about what’s in scope and what isn’t.
Part of the problem is that most of Salesforce — things like marketing operations, for example — don’t touch revenue-related data and, as a result, they aren’t of concern to SOX auditors. But apps like CPQ and Billing can impact rev ops. And increasingly, auditors are asking Salesforce teams to prove they’re managing them in a compliant manner.
We’ve found there are three basic components to this: user access, metadata and configuration data. Over the next three weeks, we’ll be looking closely at each in a series of blog posts. If you follow our webinar schedule, this may look familiar to you — we recently hosted a session about this topic, which you can view here.
With that said, let’s kick things off with a look at user access in Salesforce — why it’s important to auditors, and how you can make the audit process a lot less painful with some of our free tools.
What’s in Scope?
When it comes to critical data and revenue-related Objects, one of the first questions auditors will ask is, “Who has access to it?"
Salesforce profiles, permission sets and permission set groups specify the levels of access users have to various custom objects. (If you’d like a refresher course on how access works in Salesforce, we’ve got a great webinar on the topic here). So for SOX purposes, knowing who has access to what — who can view, edit or delete revenue-related data — is critical to determining whether or not something is in scope.
The problem is that custom objects that store data in apps like CPQ are complex. A single object may connect to a wide range of properties, such as forms, fields, report types, list views, etc. Without Strongpoint, there's no easy, automated way to see these connections. As a result, looking closely at access levels for every property attached to an Object is incredibly time-consuming — it's a slow, manual process that's virtually impossible to do efficiently at scale.
Worse still, access controls are always changing as new team members are added and roles evolve. Even if you conduct a painstaking manual field access review, by the time you are done, your results could be obsolete.
Strongpoint starts by documenting every customization in your Org and mapping out the connections between them. It then leverages that data to automate access reviews and other key goals related to SOX.
Out of the box, Strongpoint comes with several reports that help you perform a high-level access review in your Org. The 'Permissions with Profile/PermissionSet' report, for example, shows you every permission associated with a profile or permission set, grouped by Object. Here's what it looks like in our test Org:
We also include a helpful report mapping permissions sets to the users assigned to them — which, together Salesforce's user profile reports, gives you a comprehensive picture of the profiles and permission sets associated with everyone in your system.
Strongpoint's reports are a great place to begin understanding access in your Org, but if you need to go deeper, the Object Exporter tools gives you a more highly focused, field-level look at your Objects, profiles and permission sets.
Object Export is available on both our core products and our free app, Flashlight. It's easy to use and extremely flexible. Here's a screenshot:
In the tabs at the top, you can see the Exporter gives you three options for drilling down and identifying potential gaps for SOX compliance:
- By Object: This report lets you look closely at one or more standard or custom Object. It lists every custom field, standard field, formula field, record type, picklist value, button and link associated with it, and breaks down the level of access every selected profile or permission set has for that property.
- By Profile/Permission Set: Alternatively, you can drill down on one or more profiles or permission sets to see which custom Object properties a user with that level of access can view, edit or delete.
- By User: Finally, Strongpoint makes it very easy to look at a specific user, or group of users, and see what levels of access they have across your entire Org — a great way to prepare for a profile/permission set consolidation project.
And here's what the output looks like:
Access review is critical for SOX, but it's not the only thing you can do with Strongpoint. Highly regulated industries such as finance and pharma may need to demonstrate compliance with HIPAA or PII regulations. You can also use the Exporter to troubleshoot user access issues. Check out this post for a look at a few other potential use cases.
See it in Action
Here's a short clip walking you through everything we covered in this post:
If you'd like to see Strongpoint in action in your Org, download a free Flashlight license or, better yet, book a demo with our team to get pricing and find the right solution for you: