Welcome back to the last installment in our three-part blog series, “When Salesforce Meets SOX!” If you missed the earlier posts, here's part one, about access control, and part two, covering metadata.
Today, we’re covering configuration data, with a specific focus on Salesforce CPQ and related applications.
Why Configuration Data?
As we’ve mentioned in previous installments, when it comes to SOX and Salesforce, auditors typically only care about configurations that can affect revenue recognition. Where do you find that? In most Orgs, primarily in the CPQ and Billing applications. (We’ve also seen things like FinancialForce and commission modules come into scope — the same considerations apply.)
The problem is that CPQ and similar apps store product, pricing, approvals and discount rules as configuration data in custom Objects. With Salesforce’s native tools, this data is very hard to track in a way that satisfies auditors. Fortunately, Strongpoint solves this problem. Here’s how!
CPQ Pricing Policies
Strongpoint lets you quickly create highly granular, highly customized change policies for individual custom objects in the CPQ package. This allows you to protect and monitor what’s most important. Here’s a look at a list view, where you can see in the right hand column which customizations we’ve chosen to focus on:
After selecting what's in scope, you can easily connect these customizations to a CPQ Pricing Policy where all changes can be tracked. This is flexible and can be a highly targeted policy only for CPQ, or it can bring into scope other elements for SOX. This will help you easily identify and the track changes auditors are concerned with:
What Happens When You Make a Change?
Strongpoint policy records give you three levels of scrutiny for changes to configuration data — not tracked; tracked, non-blocking; and tracked, blocking.
"Not tracked" customizations are considered safe/out of scope for SOX, and are not governed by Strongpoint's change management system. Developers can modify them freely without additional approvals, and Strongpoint is not creating change logs for them.
Enabling tracking on a CPQ custom Object enters it into Strongpoint’s change management system. This means that any change to configuration data will be reconciled back to an originating request. If the change request can’t be found — ie, if the change was completed without the proper review and approval — it’s marked as noncompliant. If the change can be linked back to an approved request, it’s marked as compliant.
In the change log, you'll find a flag indicating which changes were compliant and which were not. In this case, we see that CL-12359, the first change on the list, doesn't have a change request associated with it in the right hand column. Consequently, it's been flagged as noncompliant:
The strictest level of control in the CPQ Pricing Policy gives you the option of blocking risky changes without prior approval. This is often used for pricing and discount data which impact revenue directly. If a user attempts to make a change to a field that has blocking enabled, they will be unable to do so unless a change request has been submitted in advance.
In this screenshot, we can see that Strongpoint has automatically blocked a change to the 'Price' field in the Block Price customization because it didn't have an approved change request:
The Audit Process
Effectively, Strongpoint's CPQ change controls are a closed loop system — they track all activity for in-scope customizations and configuration data, applying extra scrutiny to risky changes and blocking those of the highest concern. Anything that didn't follow policy — ie., changes to Objects with the 'Tracked, Non-Blocking' control enabled that can't be reconciled back to a change request and approval, is collected in a report for easy review. Many Salesforce teams have a standing meeting to clear out these changes and keep their Org ready for audit on a continuous basis.
With this done, prepping for an audit is as easy as pulling three additional reports — one showing all compliant changes, one showing all outstanding noncompliant changes and one showing their resolution. The entire system is easy to set up, fits seamlessly into your existing processes and eliminates up to 90% of the work around SOX compliance.
To see it in action, fill out this quiz to find your solution and get a price: