Today in our ongoing look at SOX compliance in Salesforce, we’re talking metadata. We kicked off this blog series last week by discussing access control — if you missed that post, check it out here.
To effectively meet SOX requirements for the Salesforce platform, it's critical that you narrow the scope of inquiry. System documentation and dependency analysis will help you understand which objects and automation touch revenue-related processes, but that’s only part of what your auditors are concerned about. They’ll also want to see that you have a system for monitoring and managing changes to that metadata.
What Does This Mean?
What auditors actually want is simple — in theory. They want to see that any changes that could affect revenue-related data were reviewed and approved by the proper authorities. The problem is that it can be very hard to isolate those changes in a busy Salesforce Org — and even harder to prove to auditors that they have been made according to proper controls.
That’s where Strongpoint comes in. Strongpoint continuously monitors your Org and provides a closed-loop process for you to prove that you have complete visibility to all your changes, and that those that are in scope for SOX are managed properly.
Here are some of our out-of-the-box tools for doing just that.
Strongpoint automatically records every change in your Org and logs it in our, appropriately named, change logs. Change logs are an immutable, date- and time-stamped record, containing a full, detailed diff showing what happened, and when it happened. Here’s what one looks like in our test Org:
Without change logs, you’d have to search through the audit trail to find this data — a time-consuming process that’s subject to human error. So if you do nothing else, Strongpoint’s change logs have already saved you considerable time, by showing you — and your auditors — what you need to see, in one convenient place.
Having a record of every change in your Org is great for a variety of reasons. But it doesn’t solve one of the key challenges of getting ready for SOX — namely, that only certain metadata is in scope for audit.
Strongpoint solves this by allowing you to easily create change controls at the metadata level. In other words, if you know a custom Object is in scope for SOX, you can create a process to ensure that any changes affecting it are reviewed by the right person before being made. These are great for high-level governance or for hyper-specific control requirements (i.e. specific fields integrated with your ERP, for example).
These processes are stored in Strongpoint’s Policy Records (which are themselves monitored continuously for changes). Here’s what one looks like:
With granular policies targeting the changes that are of interest to auditors, you simply need to prove to auditors that those policies were followed (or that you know when they weren't).
On its own or integrated with Jira/ServiceNow, Strongpoint applies impact analysis to every proposed change and tells you if it’s safe to make. Anything not covered by a policy is given the green light to complete via your normal process; anything in scope for SOX is elevated according to the process you’ve set out in your Policy Records.
In this screenshot, you can see that Strongpoint has assessed the impact of a requested change and determined that, according to the policy, it requires development and testing in the sandbox:
With Strongpoint, completed changes are automatically reconciled back to the originating request, and all this information is collected in auditor-friendly reports showing what happened, what was safe, what was reviewed, and what fell through the cracks.
Here's the basic 'What Changed' report:
Right away, you can see what was changed, what the required policy was, and whether or not the change followed it. Strongpoint gives you many options for sorting and filtering these reports, so it's easy to drill down on what's most important.
A 'Closed Loop' System
Change logs, Policy Records and Change Requests are the basic building blocks of Strongpoint's change management system. Together, they form a 'closed loop' process that monitors all development activity in your Org and captures both the changes that followed policy, and the changes that didn't. Effectively, it's a 'continuous compliance' posture that ensures you're always ready for audit.
Here's a short clip of it in action:
Check back next week for the final part of our Salesforce SOX blog series, covering CPQ and related configuration data. In the meantime, if you'd like to get pricing and see Strongpoint in action in your Org, take the quiz here to book a demo: